Only expose socket proxy on internal networks

ansible/roles/db_auto_backup/files/docker-compose.yml

@@ -9,6 +9,9 @@ services:
       - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
     depends_on:
       - docker_proxy
+    networks:
+      - default
+      - backup_private
 
   docker_proxy:
     image: lscr.io/linuxserver/socket-proxy:latest
@@ -20,5 +23,13 @@ services:
       - EXEC=1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - backup_private
+    tmpfs:
+      - /run
     logging:
       driver: none
+
+networks:
+  backup_private:
+    internal: true

ansible/roles/forgejo_runner/files/docker-compose.yml

@@ -10,6 +10,9 @@ services:
       - DOCKER_HOST=tcp://docker_proxy:2375
     restart: unless-stopped
     command: forgejo-runner daemon
+    networks:
+      - default
+      - forgejo_private
     depends_on:
       - docker_proxy
 
@@ -31,5 +34,11 @@ services:
       - /run
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - forgejo_private
     logging:
       driver: none
+
+networks:
+  forgejo_private:
+    internal: true

ansible/roles/renovate/files/docker-compose.yml

@@ -9,6 +9,9 @@ services:
       - DOCKER_HOST=tcp://docker_proxy:2375
       - LOG_LEVEL=debug  # Noisy, but required for debugging
     restart: unless-stopped
+    networks:
+      - default
+      - renovate_private
     depends_on:
       - redis
       - docker_proxy
@@ -33,5 +36,13 @@ services:
       - IMAGES=1
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - renovate_private
+    tmpfs:
+      - /run
     logging:
       driver: none
+
+networks:
+  renovate_private:
+    internal: true

ansible/roles/traefik/files/docker-compose.yml

@@ -29,6 +29,8 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     networks:
       - proxy_private
+    tmpfs:
+      - /run
     logging:
       driver: none