sni-router: review fixes — compose style, subnet caveat, IPv6 note

- Use list form for `networks: [sni]` on services that need no
  per-network config; keep map form only on `web` where ipv4_address
  requires it.
- README: note that the 172.28.0.0/24 subnet can be changed if it
  collides with an existing host network (and remind to update both
  files in lockstep).
- README: caveat that IPv6 fronting may lose the real client IP in
  Caddy's logs because mtg constructs a mixed-family PROXY v2 header
  (IPv6 source, IPv4 destination); Telegram traffic unaffected.

contrib/sni-router/README.md

@@ -83,7 +83,15 @@ IP, not a hostname, hence the static `sni` network).  `proxy-protocol =
 true` matches Caddy's `:8443` listener wrapper so the real client IP
 still propagates to Caddy's logs.
 
-If you change Caddy's pinned IP, update both files together.
+If you change Caddy's pinned IP, update both files together.  If
+`172.28.0.0/24` collides with another network on this host, change the
+subnet in `docker-compose.yml` and the IP in `mtg-config.toml` to match.
+
+> Caveat for IPv6 clients: when an IPv6 probe is fronted, mtg's
+> outbound PROXY v2 header has an IPv6 source but an IPv4 destination
+> (Caddy's pinned address).  Caddy may refuse the mixed-family header
+> and log the docker-network address instead of the real client IP for
+> that connection.  Telegram traffic is unaffected.
 
 ## ACME (Let's Encrypt) notes
 

contrib/sni-router/docker-compose.yml

@@ -31,7 +31,7 @@ services:
     sysctls:
       - net.ipv4.ip_unprivileged_port_start=80
     networks:
-      sni:
+      - sni
 
   mtg:
     image: nineseconds/mtg:2
@@ -43,7 +43,7 @@ services:
     extra_hosts:
       - "host.containers.internal:host-gateway"
     networks:
-      sni:
+      - sni
 
   web:
     image: caddy:alpine