refactor: [#248] implement three-network Docker segmentation for defense in depth

Replace single backend_network with three isolated networks:
- database_network: Tracker ↔ MySQL (reduces attack vectors from 3 to 1)
- metrics_network: Tracker ↔ Prometheus (metrics isolation)
- visualization_network: Prometheus ↔ Grafana (prevents direct access)

Security benefits:
- MySQL isolation: Only tracker has database access (least privilege)
- Metrics isolation: Grafana must query through Prometheus
- Lateral movement prevention: Compromised service cannot access unrelated services
- Defense in depth: Network segmentation + authentication + Docker port bindings + UFW

Changes:
- Modified templates/docker-compose/docker-compose.yml.tera
  - Replaced backend_network with three segmented networks
  - Added comprehensive security comments explaining topology and benefits
  - Services now use minimum required networks for their function
- Updated src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs
  - Fixed test assertion to check for new metrics_network instead of backend_network
- Updated docs/issues/248-docker-ufw-firewall-security-strategy.md
  - Marked Phase 3.2 as complete with all implementation tasks checked

References:
- ADR: docs/decisions/docker-ufw-firewall-security-strategy.md
- Analysis: docs/analysis/security/docker-network-segmentation-analysis.md

All tests pass (1562 passed), pre-commit validation successful (4m 32s)

Author: josecelano

docs/issues/248-docker-ufw-firewall-security-strategy.md

@@ -308,27 +308,27 @@ services:
 
 This phase is split into two critical subtasks that implement the layered security strategy.
 
-#### Subtask 3.1: Remove Obsolete UFW Firewall Configuration (estimated: 2-3 hours)
+#### Subtask 3.1: Remove Obsolete UFW Firewall Configuration (estimated: 2-3 hours) ✅ **COMPLETED**
 
 Since Docker bypasses UFW rules for published container ports, we no longer need UFW rules for application ports. UFW should only manage SSH access.
 
 **Files to Delete**:
 
-- [ ] **Delete firewall configuration playbook**: `templates/ansible/configure-tracker-firewall.yml` - obsolete since Docker bypasses UFW
-- [ ] **Delete firewall configuration step**: `src/application/steps/system/configure_tracker_firewall.rs` - tracker ports don't need UFW rules
+- [x] **Delete firewall configuration playbook**: `templates/ansible/configure-tracker-firewall.yml` - obsolete since Docker bypasses UFW
+- [x] **Delete firewall configuration step**: `src/application/steps/system/configure_tracker_firewall.rs` - tracker ports don't need UFW rules
 
 **Files to Modify**:
 
-- [ ] **Remove playbook registration**: Remove `configure-tracker-firewall.yml` from `src/infrastructure/templating/ansible/template/renderer/project_generator.rs` (in `copy_static_templates` method)
-- [ ] **Update base firewall playbook**: Update `templates/ansible/configure-firewall.yml` to clarify it only manages SSH access (not application ports) - add comments explaining Docker bypasses UFW
+- [x] **Remove playbook registration**: Remove `configure-tracker-firewall.yml` from `src/infrastructure/templating/ansible/template/renderer/project_generator.rs` (in `copy_static_templates` method)
+- [x] **Update base firewall playbook**: Update `templates/ansible/configure-firewall.yml` to clarify it only manages SSH access (not application ports) - add comments explaining Docker bypasses UFW
 
 **Validation**:
 
-- [ ] Compile code and verify no broken references to deleted files
-- [ ] Run unit tests: `cargo test`
-- [ ] Run linters: `./scripts/pre-commit.sh`
+- [x] Compile code and verify no broken references to deleted files
+- [x] Run unit tests: `cargo test`
+- [x] Run linters: `./scripts/pre-commit.sh`
 
-#### Subtask 3.2: Implement Docker Network Segmentation (estimated: 4-5 hours) 🔴 CRITICAL
+#### Subtask 3.2: Implement Docker Network Segmentation (estimated: 4-5 hours) ✅ **COMPLETED**
 
 Implement Option A (Three-Network Segmentation) as documented in [`docs/analysis/security/docker-network-segmentation-analysis.md`](../analysis/security/docker-network-segmentation-analysis.md).
 
@@ -341,14 +341,15 @@ Implement Option A (Three-Network Segmentation) as documented in [`docs/analysis
 
 **Implementation**:
 
-- [ ] **Update docker-compose template**: Modify `templates/docker-compose/docker-compose.yml.tera`
+- [x] **Update docker-compose template**: Modify `templates/docker-compose/docker-compose.yml.tera`
   - Replace single `backend_network` with three networks: `database_network`, `metrics_network`, `visualization_network`
   - Configure Tracker to use: `database_network` + `metrics_network`
   - Configure MySQL to use: `database_network` only
   - Configure Prometheus to use: `metrics_network` + `visualization_network`
   - Configure Grafana to use: `visualization_network` only
-- [ ] **Add security comments**: Document each service's network membership and rationale
-- [ ] **Update network definitions**: Define three isolated networks in networks section
+- [x] **Add security comments**: Document each service's network membership and rationale
+- [x] **Update network definitions**: Define three isolated networks in networks section
+- [x] **Update tests**: Fix test assertions to check for new network names
 
 **Expected Network Topology**:
 

src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs

@@ -407,10 +407,10 @@ mod tests {
             "Should depend on tracker"
         );
 
-        // Verify network
+        // Verify network segmentation (security enhancement)
         assert!(
-            rendered_content.contains("- backend_network"),
-            "Should be on backend_network"
+            rendered_content.contains("- metrics_network"),
+            "Should be on metrics_network for tracker ↔ Prometheus communication"
         );
     }
 

templates/docker-compose/docker-compose.yml.tera

@@ -36,7 +36,12 @@ services:
       - TORRUST_TRACKER_CONFIG_TOML_PATH=${TORRUST_TRACKER_CONFIG_TOML_PATH}
       - TORRUST_TRACKER_CONFIG_OVERRIDE_HTTP_API__ACCESS_TOKENS__ADMIN=${TORRUST_TRACKER_CONFIG_OVERRIDE_HTTP_API__ACCESS_TOKENS__ADMIN}
     networks:
-      - backend_network
+{% if prometheus_config %}
+      - metrics_network  # Prometheus scrapes metrics from tracker
+{% endif %}
+{% if database.driver == "mysql" %}
+      - database_network  # Tracker connects to MySQL
+{% endif %}
     ports:
       # UDP Tracker Ports (dynamically configured)
 {%- for port in ports.udp_tracker_ports %}
@@ -64,7 +69,10 @@ services:
     tty: true
     restart: unless-stopped
     networks:
-      - backend_network
+      - metrics_network  # Scrapes metrics from tracker
+{% if grafana_config %}
+      - visualization_network  # Grafana queries Prometheus
+{% endif %}
     ports:
       - "127.0.0.1:9090:9090"  # Localhost only - not exposed to external network
     # Grafana accesses Prometheus via Docker network: http://prometheus:9090
@@ -92,7 +100,7 @@ services:
     tty: true
     restart: unless-stopped
     networks:
-      - backend_network
+      - visualization_network  # Queries Prometheus data source
     ports:
       - "3100:3000"
     environment:
@@ -131,7 +139,7 @@ services:
       - MYSQL_USER=${MYSQL_USER}
       - MYSQL_PASSWORD=${MYSQL_PASSWORD}
     networks:
-      - backend_network
+      - database_network  # Only accessible by tracker
     ports:
       - "3306:3306"
     volumes:
@@ -149,8 +157,46 @@ services:
         max-file: "10"
 {% endif %}
 
+# SECURITY: Three-Network Segmentation (Defense in Depth)
+# =========================================================
+# Network isolation prevents lateral movement between services and reduces attack surface.
+# Each service is placed in the minimum networks required for its function.
+#
+# Network Topology:
+#   database_network: Tracker ↔ MySQL
+#     - Only tracker can access MySQL (reduces attack vectors from 3 services to 1)
+#     - Prometheus/Grafana cannot access database even if compromised
+#
+#   metrics_network: Tracker ↔ Prometheus
+#     - Prometheus scrapes metrics from tracker
+#     - Grafana cannot directly access tracker metrics
+#
+#   visualization_network: Prometheus ↔ Grafana
+#     - Grafana queries Prometheus as data source
+#     - Grafana cannot access tracker or MySQL directly
+#
+# Security Benefits:
+#   1. MySQL isolation: Only tracker has database access (least privilege)
+#   2. Metrics isolation: Grafana must query through Prometheus (no direct tracker access)
+#   3. Lateral movement prevention: Compromised service cannot access unrelated services
+#   4. Defense in depth: Network segmentation + authentication + Docker port bindings + UFW
+#
+# See ADR: docs/decisions/docker-ufw-firewall-security-strategy.md
+# See Analysis: docs/analysis/security/docker-network-segmentation-analysis.md
+
 networks:
-  backend_network: {}
+{% if database.driver == "mysql" %}
+  database_network:
+    driver: bridge
+{% endif %}
+{% if prometheus_config %}
+  metrics_network:
+    driver: bridge
+{% endif %}
+{% if grafana_config %}
+  visualization_network:
+    driver: bridge
+{% endif %}
 
 {% if database.driver == "mysql" or grafana_config %}
 volumes: