commit 368f16c6a5faadee10580be08fdddb47bf431b6d
Author: Ognir <tortosaantonio@gmail.com>
Date:   Mon Jan 5 14:28:03 2026 +0100

    Initial commit: Infraestructura OgnirNAS estabilizada

diff --git a/adguard/docker-compose.yml b/adguard/docker-compose.yml
new file mode 100755
index 0000000..51f78ea
--- /dev/null
+++ b/adguard/docker-compose.yml
@@ -0,0 +1,22 @@
+version: '3.8'
+
+services:
+  adguard:
+    image: adguard/adguardhome
+    container_name: adguard
+    restart: unless-stopped
+    networks:
+      - services-internal-net
+    volumes:
+      - /volume1/docker/data/adguard/config:/opt/adguardhome/conf
+      - /volume1/docker/data/adguard/data:/opt/adguardhome/work
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.adguard.rule=Host(`adguard.ognir-server.synology.me`)"
+      - "traefik.http.routers.adguard.entrypoints=websecure"
+      - "traefik.http.routers.adguard.tls.certresolver=letsencrypt"
+      - "traefik.http.services.adguard.loadbalancer.server.port=80"
+
+networks:
+  services-internal-net:
+    external: true
diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml
new file mode 100755
index 0000000..c40b149
--- /dev/null
+++ b/gitea/docker-compose.yml
@@ -0,0 +1,42 @@
+# ==============================================================================
+# GITEA - CONFIGURACIÓN DE PRODUCCIÓN PARA SYNOLOGY DSM
+# ==============================================================================
+# Este servicio corre bajo el UID 1032 y GID 100 gestionado internamente por s6.
+# Se conecta a Traefik v3 a través de la red interna de servicios.
+# ==============================================================================
+
+version: "3.9"
+
+services:
+  server:
+    image: gitea/gitea:latest
+    container_name: gitea
+    restart: always
+    networks:
+      - services-internal-net # Red compartida con el Proxy
+    volumes:
+      - /volume1/docker/data/gitea:/data # Persistencia de datos, SSH y DB
+    environment:
+      # IDs de usuario confirmados para evitar conflictos de permisos en el NAS
+      - USER_UID=1032
+      - USER_GID=100
+      - TZ=Europe/Madrid
+      # URL externa para evitar el redireccionamiento a localhost:3000
+      - GITEA__server__ROOT_URL=https://gitea.ognir-server.synology.me/
+      - GITEA__database__DB_TYPE=sqlite3
+    labels:
+      - "traefik.enable=true"
+      # Enrutamiento mediante Host
+      - "traefik.http.routers.gitea.rule=Host(`gitea.ognir-server.synology.me`)"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
+      # Forzamos a Traefik a usar la red interna para evitar errores de gateway
+      - "traefik.docker.network=services-internal-net"
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+      # Uso del middleware de seguridad definido en el proveedor de archivos (@file)
+      - "traefik.http.routers.gitea.middlewares=seguridad-general@file"
+
+networks:
+  services-internal-net:
+    external: true
diff --git a/init-net/docker-compose.yml b/init-net/docker-compose.yml
new file mode 100755
index 0000000..506894a
--- /dev/null
+++ b/init-net/docker-compose.yml
@@ -0,0 +1,11 @@
+version: "3.8"
+services:
+  init-net:
+    image: alpine:latest
+    container_name: init-macvlan-shim
+    network_mode: host    # CRÍTICO: Para ver las interfaces del NAS
+    privileged: true      # CRÍTICO: Para poder crear interfaces
+    restart: "no"         # Solo queremos que corra al arrancar el motor Docker
+    volumes:
+      - /volume1/docker/.bin/macvlan-shim.sh:/script.sh:ro
+    entrypoint: ["/bin/sh", "-c", "apk add --no-cache iproute2 > /dev/null 2>&1 && /bin/sh /script.sh"]
diff --git a/portainer/docker-compose.yml b/portainer/docker-compose.yml
new file mode 100644
index 0000000..303c860
--- /dev/null
+++ b/portainer/docker-compose.yml
@@ -0,0 +1,30 @@
+version: '3.8'
+services:
+  portainer:
+    image: portainer/portainer-ce:latest
+    container_name: portainer
+    restart: always
+    user: "1032:100"
+    group_add:
+      - "65538"
+    networks:
+      - services-internal-net
+    # Importante: mantenemos los puertos por si falla el proxy, pero Traefik irá por el 9000 interno
+    ports:
+      - "8000:8000"
+      - "9443:9443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /volume1/docker/configs/portainer:/config
+      - /volume1/docker/data/portainer:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)"
+      - "traefik.http.routers.portainer.entrypoints=websecure"
+      - "traefik.http.routers.portainer.tls=true"
+      - "traefik.http.routers.portainer.tls.certresolver=myresolver" # Cambia 'myresolver' por el nombre que tengas en tu Traefik
+      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
+
+networks:
+  services-internal-net:
+    external: true
diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
new file mode 100755
index 0000000..f3caed5
--- /dev/null
+++ b/traefik/docker-compose.yml
@@ -0,0 +1,70 @@
+# ==============================================================================
+# DOCKER COMPOSE - INFRAESTRUCTURA TRAEFIK (ESTÁNDAR OGNIR)
+# ==============================================================================
+
+version: "3.9"
+
+services:
+  traefik-socket-proxy:
+    image: tecnativa/docker-socket-proxy:latest
+    container_name: traefik-socket-proxy
+    restart: always
+    networks:
+      - services-internal-net
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - NETWORKS=1
+      - SERVICES=1
+      - VERSION=1
+      - EVENTS=1
+      # Recuperado del original para estabilidad del socket
+      - CONNECT_TIMEOUT=30
+      - SERVER_TIMEOUT=30
+      - CLIENT_TIMEOUT=30
+
+  traefik:
+    image: traefik:v3.0
+    container_name: traefik
+    restart: always
+    user: "1032:100"
+    depends_on:
+      traefik-socket-proxy:
+        condition: service_started
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik-dash.rule=Host(`traefik.ognir-server.synology.me`)"
+      - "traefik.http.routers.traefik-dash.entrypoints=websecure"
+      - "traefik.http.routers.traefik-dash.tls=true"
+      - "traefik.http.routers.traefik-dash.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik-dash.service=api@internal"
+      # Middleware de seguridad (debe existir en /dynamic/middlewares.yml)
+      - "traefik.http.routers.traefik-dash.middlewares=seguridad-general@file"
+    networks:
+      proxy-macvlan-net:
+        ipv4_address: 192.168.178.25
+      services-internal-net:
+    
+    # Recuperado íntegramente del original
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:8080/ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+
+    volumes:
+      - /volume1/docker/configs/traefik:/etc/traefik:ro
+      - /volume1/docker/data/traefik:/letsencrypt
+      - /volume1/docker/data/traefik/logs:/var/log/traefik
+    
+    command:
+      # Única instrucción necesaria: cargar el archivo documentado
+      - "--configFile=/etc/traefik/traefik.yml"
+
+networks:
+  proxy-macvlan-net:
+    external: true
+  services-internal-net:
+    external: true
diff --git a/traefik/dynamic/dashboard.yml b/traefik/dynamic/dashboard.yml
new file mode 100755
index 0000000..1004bb7
--- /dev/null
+++ b/traefik/dynamic/dashboard.yml
@@ -0,0 +1,11 @@
+http:
+  routers:
+    api:
+      rule: "Host(`traefik.ognir-server.synology.me`) || Host(`ognir-server.synology.me`)"
+      service: api@internal
+      middlewares:
+        - auth-dashboard@file
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: letsencrypt
diff --git a/traefik/dynamic/external_services.yml b/traefik/dynamic/external_services.yml
new file mode 100755
index 0000000..3d0dd98
--- /dev/null
+++ b/traefik/dynamic/external_services.yml
@@ -0,0 +1,15 @@
+http:
+  routers:
+    router-fritz:
+      rule: "Host(`fritz.ognir-server.synology.me`)"
+      entryPoints:
+        - "websecure"
+      service: "fritz-service"
+      tls:
+        certResolver: "letsencrypt"
+
+  services:
+    fritz-service:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.178.1"
diff --git a/traefik/dynamic/middlewares.yml b/traefik/dynamic/middlewares.yml
new file mode 100755
index 0000000..92c8e13
--- /dev/null
+++ b/traefik/dynamic/middlewares.yml
@@ -0,0 +1,17 @@
+# ==============================================================================
+# MIDDLEWARES DE SEGURIDAD (CONFIGURACIÓN DINÁMICA)
+# ==============================================================================
+
+http:
+  middlewares:
+    seguridad-general:
+      headers:
+        # Cabeceras de seguridad recomendadas (HSTS, XSS, etc.)
+        forceSTSHeader: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        frameDeny: true # Evita que tu sitio sea cargado en un iframe (protección clickjacking)
+        referrerPolicy: "same-origin"
diff --git a/traefik/traefik.yml b/traefik/traefik.yml
new file mode 100755
index 0000000..f6cbb21
--- /dev/null
+++ b/traefik/traefik.yml
@@ -0,0 +1,53 @@
+# ==============================================================================
+# CONFIGURACIÓN ESTÁTICA - MIGRACIÓN DESDE COMMANDS
+# ==============================================================================
+
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+
+api:
+  dashboard: true
+  insecure: true # Mantiene puerto 8080 para debug y healthcheck
+
+# Recuperado del original: Necesario para el Healthcheck del Docker-compose
+ping: true
+
+log:
+  level: ERROR
+  filePath: "/var/log/traefik/traefik.log"
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+
+# --- Entrypoints: Puertos de red y Redirección Global ---
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+
+# --- Proveedores: Docker (vía Proxy) y Archivos Locales ---
+providers:
+  docker:
+    endpoint: "tcp://traefik-socket-proxy:2375"
+    exposedByDefault: false
+    network: services-internal-net
+  file:
+    # Ruta donde se encuentran tus middlewares y servicios externos
+    directory: "/etc/traefik/dynamic"
+    watch: true
+
+# --- Certificados ACME (Let's Encrypt) ---
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: "tortosaantonio@gmail.com"
+      # Ruta exacta validada en tu original
+      storage: "/letsencrypt/data/acme.json"
+      tlsChallenge: {}
diff --git a/vaultwarden/docker-compose.yml b/vaultwarden/docker-compose.yml
new file mode 100755
index 0000000..71e7252
--- /dev/null
+++ b/vaultwarden/docker-compose.yml
@@ -0,0 +1,26 @@
+version: '3.8'
+
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: always
+    user: "1032:100"
+    networks:
+      - services-internal-net
+    volumes:
+      - /volume1/docker/data/vaultwarden:/data
+    environment:
+      - SIGNUPS_ALLOWED=false
+      - INVITATIONS_ALLOWED=false
+      - DOMAIN=https://vaultwarden.ognir-server.synology.me
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.ognir-server.synology.me`)"
+      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
+      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
+      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
+
+networks:
+  services-internal-net:
+    external: true