This isn't really an issue but I wanted to bring up the fact that exposing ports for services like sonarr, radarr etc allows traefik basic auth to be bypassed if the ports are open on the host system.

Removing the ports: section for these services in compose still allows them to function as expected behind traefik but without the potential risk.

This might be worth noting for users.

You are completely correct, and I'm aware of the potential for unintentional exposed ports as well.

What if I moved the service ports to a docker-compose.direct.yaml overlay file that is installed (via symlink) by default? Then users could either symlink to the letsencrypt overlay, or the direct overlay, but not both?

That would avoid the need for a warning or manually removing the ports from the primary compose file.