From 03147e99dea93bda229634cd5980b8474ad41b14 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Tue, 24 Mar 2026 12:01:44 +0100
Subject: Isolate database and mail behind internal Docker network

Remove exposed MariaDB port and split services into frontend/backend
networks. Only Nginx is reachable from the host; MariaDB and Mailpit
are only accessible to the PHP container.
---
 docker-compose.yml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 1c6968f..a9af8ce 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,8 @@ services:
       - ./src:/var/www/html
     depends_on:
       - php
+    networks:
+      - frontend
 
   php:
     build: ./docker/php
@@ -17,11 +19,16 @@ services:
     depends_on:
       - mariadb
       - mailpit
+    networks:
+      - frontend
+      - backend
 
   mailpit:
     image: axllent/mailpit:v1.24
     ports:
       - "8025:8025"
+    networks:
+      - backend
 
   mariadb:
     image: mariadb:10.11.11
@@ -30,8 +37,12 @@ services:
     volumes:
       - db_data:/var/lib/mysql
       - ./docker/mariadb/init.sql:/docker-entrypoint-initdb.d/init.sql
-    ports:
-      - "3306:3306"
+    networks:
+      - backend
 
 volumes:
   db_data:
+
+networks:
+  frontend:
+  backend:
-- 
cgit v1.2.3