From 850944944d2348576a9a21d3256d945300f03ce7 Mon Sep 17 00:00:00 2001
From: Siavash Sameni <manwe@MacBook-Air.local>
Date: Mon, 30 Mar 2026 11:26:12 +0400
Subject: [PATCH] revert: Caddy back to bridge network (host mode breaks
 OrbStack)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 warzone/deploy/docker/Caddyfile          |  4 ++--
 warzone/deploy/docker/docker-compose.yml | 20 +++++++++++---------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/warzone/deploy/docker/Caddyfile b/warzone/deploy/docker/Caddyfile
index 35a19ed..a9bf447 100644
--- a/warzone/deploy/docker/Caddyfile
+++ b/warzone/deploy/docker/Caddyfile
@@ -9,9 +9,9 @@ voip.manko.yoga {
 
 	# Audio bridge WebSocket (wzp-web)
 	handle_path /audio/* {
-		reverse_proxy 172.28.0.30:8080
+		reverse_proxy wzp-web:8080
 	}
 
 	# Everything else → featherChat server
-	reverse_proxy 172.28.0.20:7700
+	reverse_proxy warzone-server:7700
 }
diff --git a/warzone/deploy/docker/docker-compose.yml b/warzone/deploy/docker/docker-compose.yml
index 734fd7c..6b5ab01 100644
--- a/warzone/deploy/docker/docker-compose.yml
+++ b/warzone/deploy/docker/docker-compose.yml
@@ -8,13 +8,15 @@
 
 services:
   # ─── Caddy reverse proxy (TLS termination) ───
-  # Uses host network so it sees real client IPs (not Docker NAT)
   caddy:
     build:
       context: .
       dockerfile: Dockerfile.caddy
     restart: unless-stopped
-    network_mode: host
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"   # HTTP/3 (QUIC)
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - caddy_data:/data
@@ -25,6 +27,9 @@ services:
     depends_on:
       - warzone-server
       - wzp-web
+    networks:
+      - frontend
+      - backend
 
   # ─── featherChat server ───
   warzone-server:
@@ -33,15 +38,13 @@ services:
       dockerfile: warzone/deploy/docker/Dockerfile.server
     restart: unless-stopped
     environment:
-      # Browser connects to audio via Caddy: wss://voip.manko.yoga/audio/ws/ROOM
       WZP_RELAY_ADDR: "voip.manko.yoga/audio"
       RUST_LOG: "info"
     volumes:
       - server_data:/data
     command: ["--bind", "0.0.0.0:7700", "--enable-bots"]
     networks:
-      backend:
-        ipv4_address: 172.28.0.20
+      - backend
 
   # ─── WZP QUIC relay (audio SFU) ───
   wzp-relay:
@@ -54,7 +57,7 @@ services:
       - "--listen"
       - "0.0.0.0:4433"
       - "--auth-url"
-      - "http://172.28.0.20:7700/v1/auth/validate"
+      - "http://warzone-server:7700/v1/auth/validate"
     networks:
       backend:
         ipv4_address: 172.28.0.10
@@ -72,13 +75,12 @@ services:
       - "--relay"
       - "172.28.0.10:4433"
       - "--auth-url"
-      - "http://172.28.0.20:7700/v1/auth/validate"
+      - "http://warzone-server:7700/v1/auth/validate"
     depends_on:
       - wzp-relay
       - warzone-server
     networks:
-      backend:
-        ipv4_address: 172.28.0.30
+      - backend
 
 secrets:
   cf_api_token: