[fswd]

I use a monorepo (turbo) that has a directory: ./app/<docker workspace or app name>. In it I have a package.json that runs docker-compose up. I use regular .env files and keep a .env.sample in the repo. The docker-compose brings up the services and volume mounts the .env into it's local environment (same with /data for example postgres, or some other package).

I then disable iptables in /etc/docker/daemon.json: "iptables" : false to prevent docker from poking a hole in my firewall. (This should be on by default..) I also enable User name spaces with this: "userns-remap" : "default" so that the docker image runs isolated. I can disable this in my docker-compose with userns=host Actual instructions are slightly different, but: https://docs.docker.com/engine/security/userns-remap/

I also found I could disable networking all together on some services, and just expose a port. Some services don't need to connect to the net.

Then I run a cloudflare argo tunnel to the application. But you could also use a nginx reverse proxy, some other tunnel, or a one page express.js reverse proxy with pm2. There's a cloudflare argo tunnel docker-compose setup which allows you to type in your tunnel information in the config. I thought that was cool but I did not try it.