SOCFortress WAF: new service

[ChillBill77]

SOCFortress WAF: new service (Tailscale-served admin UI)

Description

Adds the SOCFortress WAF Management Platform
as a new service. Unlike the single-app template, this is a multi-container stack
(Caddy+Coraza WAF engine, FastAPI admin API, React/Nginx admin UI, PostgreSQL,
Redis, demo upstream). A Tailscale sidecar serves the admin UI privately over
the Tailnet via Tailscale Serve (Funnel disabled); the WAF data plane
(caddy-waf) stays published on host 80/443 so per-site Let's Encrypt and real
client IPs keep working.

Because it is a multi-service stack, network_mode: service:tailscale is not
usable (it collapses the namespace and breaks Docker DNS between the services).
Instead the Tailscale container runs as a normal peer on the stack's internal
network and reverse-proxies to admin-ui:8080 by container name using the
https+insecure:// scheme (the UI serves self-signed HTTPS internally; the
public *.ts.net cert is valid).

Related Issues

• None.

Verification

• docker compose config --quiet → exit 0 (schema, interpolation, and merge valid; Compose v2).
• YAML and the embedded Serve JSON parse-checked; all volume / network / config / depends_on references resolve.
• Live docker compose up -d: stack starts and the admin UI is reachable

Checklist

• I have performed a self-review of my code and followed the templates structure.
• I have added verification that the stack works as expected.
• I have updated necessary documentation (e.g. frontpage README.md ).

Additional Context

Intentional deviations from templates/service-template, with rationale:

• No network_mode: service:tailscale — multi-service stack; Tailscale is a
  peer on the internal network proxying to admin-ui:8080 by DNS name.
• TS_USERSPACE=true (no /dev/net/tun, no cap_add: net_admin) — only the
  admin UI is served, so kernel networking isn't needed; least privilege.
• https+insecure:// backend — admin UI is self-signed HTTPS internally.
• Data plane exposed on host 80/443 — required; the WAF must receive real
  public traffic. Only the admin UI is Tailnet-only.
• Funnel disabled — would collapse multi-site hosting to one *.ts.net
  hostname, break per-site ACME, and hide real client IPs (degrading GeoIP).

User gotchas:

• Enable HTTPS/MagicDNS in the tailnet or Serve can't provision a cert.
• Set ALLOWED_ORIGINS=https://<host>.<tailnet>.ts.net (CORS, no wildcard) or login fails.
• Supply your own GeoLite2-City.mmdb (MaxMind licensing).