From ce1c863b3a6660a45564f52165fb25a299c2b3a0 Mon Sep 17 00:00:00 2001
From: mirsal <mirsal@mirsal.fr>
Date: Wed, 11 Feb 2026 03:43:51 +0000
Subject: [PATCH] compose: Switch to host-mode port publishing by default

By default, swarm services use ingress mode port publishing, which is
not ideal for traefik (it breaks IPv6 ingress and there is no need to
load-balance traffic between multiple traefik instances or to route it
from multiple swarm nodes)

This commit switches traefik's port publishing mode to `host` for all of
its exposed ports as well as:

 * change traefik's update order to stop-first (there cannot be multiple
   containers exposing the same port when using host-mode publishing)
 * use `endpoint_mode: dnsrr` instead of the default `vip`
 * remove all overrides from `compose.host.yml`, leaving the file empty
   for backwards compatibility
 * allow overriding traefik's endpoint_mode back to vip through
   compose.no-host.yml

/!\ This is a breaking change

Closes: #52
---
 .env.sample                    | 10 ++++++++--
 compose.compy.yml              |  5 ++++-
 compose.foodsoft.yml           |  5 ++++-
 compose.gitea.yml              |  5 ++++-
 compose.host.yml               | 13 -------------
 compose.irc.yml                |  5 ++++-
 compose.matrix.yml             |  5 ++++-
 compose.minio.yml              |  5 ++++-
 compose.mumble.yml             | 11 ++++++++---
 compose.nextcloud-talk-hpb.yml | 10 ++++++++--
 compose.no-host.yml            | 16 ++++++++++++++++
 compose.peertube.yml           |  5 ++++-
 compose.smtp.yml               |  5 ++++-
 compose.ssb.yml                |  5 ++++-
 compose.web-alt.yml            |  5 ++++-
 compose.yml                    | 13 ++++++++++---
 release/next                   | 11 +++++++++++
 17 files changed, 101 insertions(+), 33 deletions(-)
 create mode 100644 compose.no-host.yml
 create mode 100644 release/next

diff --git a/.env.sample b/.env.sample
index 5f97943..af8e523 100644
--- a/.env.sample
+++ b/.env.sample
@@ -19,8 +19,14 @@ COMPOSE_FILE="compose.yml"
 # General settings                                                  #
 #####################################################################
 
-## Host-mode networking
-#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
+## Ingress-mode port publishing for ports 80 and 443
+##
+## /!\ Using this prevents the use of any compose override adding
+##     published ports to the traefik_app service (almost all of them)
+##     and it prevents the use of IPv6 for ingress traffic.
+##     Do not uncomment unless you know exactly what you are doing
+##
+#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"
 
 ## "Headless mode" (no domain configured)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"
diff --git a/compose.compy.yml b/compose.compy.yml
index 65fd49c..3b45820 100644
--- a/compose.compy.yml
+++ b/compose.compy.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - COMPY_ENABLED
     ports:
-      - "9999:9999"
+      - target: 9999
+        published: 9999
+        protocol: tcp
+        mode: host
diff --git a/compose.foodsoft.yml b/compose.foodsoft.yml
index 8ac770d..97e3e97 100644
--- a/compose.foodsoft.yml
+++ b/compose.foodsoft.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - FOODSOFT_SMTP_ENABLED
     ports:
-      - "2525:2525"
+      - target: 2525
+        published: 2525
+        protocol: tcp
+        mode: host
diff --git a/compose.gitea.yml b/compose.gitea.yml
index bf58bb3..09350bc 100644
--- a/compose.gitea.yml
+++ b/compose.gitea.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - GITEA_SSH_ENABLED
     ports:
-      - "2222:2222"
+      - target: 2222
+        published: 2222
+        protocol: tcp
+        mode: host
diff --git a/compose.host.yml b/compose.host.yml
index b4fef30..64d2ba2 100644
--- a/compose.host.yml
+++ b/compose.host.yml
@@ -1,15 +1,2 @@
 ---
 version: "3.8"
-
-services:
-  app:
-    deploy:
-      update_config:
-        order: stop-first
-    ports:
-      - target: 80
-        published: 80
-        mode: host
-      - target: 443
-        published: 443
-        mode: host
diff --git a/compose.irc.yml b/compose.irc.yml
index 109d986..3ab1dec 100644
--- a/compose.irc.yml
+++ b/compose.irc.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - IRC_ENABLED
     ports:
-      - "6697:6697"
+      - target: 6697
+        published: 6697
+        protocol: tcp
+        mode: host
diff --git a/compose.matrix.yml b/compose.matrix.yml
index 558898d..615b1ed 100644
--- a/compose.matrix.yml
+++ b/compose.matrix.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - MATRIX_FEDERATION_ENABLED
     ports:
-      - "8448:8448"
+      - target: 8448
+        published: 8448
+        protocol: tcp
+        mode: host
diff --git a/compose.minio.yml b/compose.minio.yml
index 44dceb1..b182822 100644
--- a/compose.minio.yml
+++ b/compose.minio.yml
@@ -6,4 +6,7 @@ services:
     environment:
       - MINIO_CONSOLE_ENABLED
     ports:
-      - "9001:9001"
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host
diff --git a/compose.mumble.yml b/compose.mumble.yml
index e2ea8bd..b03f853 100644
--- a/compose.mumble.yml
+++ b/compose.mumble.yml
@@ -4,6 +4,11 @@ services:
     environment:
       - MUMBLE_ENABLED
     ports:
-      - "64738:64738/udp"
-      # note (3wc): see https://github.com/docker/compose/issues/7627
-      - "64737-64739:64737-64739/tcp"
+      - target: 64738
+        published: 64738
+        protocol: udp
+        mode: host
+      - target: 64738
+        published: 64738
+        protocol: tcp
+        mode: host
diff --git a/compose.nextcloud-talk-hpb.yml b/compose.nextcloud-talk-hpb.yml
index 7ee4b3e..8c935b9 100644
--- a/compose.nextcloud-talk-hpb.yml
+++ b/compose.nextcloud-talk-hpb.yml
@@ -4,5 +4,11 @@ services:
     environment:
       - NEXTCLOUD_TALK_HPB_ENABLED
     ports:
-      - "3478:3478/udp"
-      - "3478:3478/tcp"
\ No newline at end of file
+      - target: 3478
+        published: 3478
+        protocol: udp
+        mode: host
+      - target: 3478
+        published: 3478
+        protocol: tcp
+        mode: host
\ No newline at end of file
diff --git a/compose.no-host.yml b/compose.no-host.yml
new file mode 100644
index 0000000..9a0c36d
--- /dev/null
+++ b/compose.no-host.yml
@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    ports:
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: ingress
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: ingress
+    deploy:
+      endpoint_mode: vip
diff --git a/compose.peertube.yml b/compose.peertube.yml
index fe515a7..9af306a 100644
--- a/compose.peertube.yml
+++ b/compose.peertube.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - PEERTUBE_RTMP_ENABLED
     ports:
-      - "1935:1935"
+      - target: 1935
+        published: 1935
+        protocol: tcp
+        mode: host
diff --git a/compose.smtp.yml b/compose.smtp.yml
index 16d503c..927766b 100644
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@@ -6,4 +6,7 @@ services:
     environment:
       - SMTP_ENABLED
     ports:
-      - "587:587"
+      - target: 587
+        published: 587
+        protocol: tcp
+        mode: host
diff --git a/compose.ssb.yml b/compose.ssb.yml
index 76520f3..367b7cf 100644
--- a/compose.ssb.yml
+++ b/compose.ssb.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - SSB_MUXRPC_ENABLED
     ports:
-      - "8008:8008"
+      - target: 8008
+        published: 8008
+        protocol: tcp
+        mode: host
diff --git a/compose.web-alt.yml b/compose.web-alt.yml
index 39e7c32..95cf0f6 100644
--- a/compose.web-alt.yml
+++ b/compose.web-alt.yml
@@ -4,4 +4,7 @@ services:
     environment:
       - WEB_ALT_ENABLED
     ports:
-      - "8000:8000"
+      - target: 8000
+        published: 8000
+        protocol: tcp
+        mode: host
diff --git a/compose.yml b/compose.yml
index c55df95..156fa26 100644
--- a/compose.yml
+++ b/compose.yml
@@ -8,8 +8,14 @@ services:
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
     ports:
-      - "80:80"
-      - "443:443"
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
     volumes:
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
@@ -37,9 +43,10 @@ services:
     command: traefik
     entrypoint: /custom-entrypoint.sh
     deploy:
+      endpoint_mode: dnsrr
       update_config:
         failure_action: rollback
-        order: start-first
+        order: stop-first
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"
diff --git a/release/next b/release/next
new file mode 100644
index 0000000..dfe17d1
--- /dev/null
+++ b/release/next
@@ -0,0 +1,11 @@
+Short summary of the latest changes:
+
+ * Exposed ports have been switched to host-mode port publishing by default
+   This adds support for IPv6 ingress, which means that after deploying this
+   change, DNS AAAA records can be made to point to the relevant IPv6
+   address and Traefik will handle public IPv6 ingress traffic (including ACME
+   HTTP-01 challenges)
+
+   /!\ This is a breaking change. It is still possible to revert ports 80 and
+       443 to ingress-mode (the previous default) but keep in mind that there
+       is no longer an easy way to publish additional ports in ingress mode.
-- 
2.49.0