security: blindaje final de gestion (Portainer, AdGuard y Traefik) con muro-seguro

traefik/dynamic/gestion-segura.yml

@@ -0,0 +1,42 @@
+# ################################################################# #
+# CONFIGURACIÓN DE GESTIÓN PROTEGIDA - OGNIRNAS                     #
+# ################################################################# #
+http:
+  routers:
+    # --- Traefik Dashboard ---
+    router-traefik-dash:
+      rule: "Host(`traefik.ognir-server.synology.me`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))"
+      entryPoints: ["websecure"]
+      middlewares: ["muro-seguro"]
+      service: "api@internal"
+      tls: { certResolver: "letsencrypt" }
+
+    # --- Portainer (Mismo nombre que en Labels para sobrescribir) ---
+    portainer:
+      rule: "Host(`portainer.ognir-server.synology.me`)"
+      entryPoints: ["websecure"]
+      # Añadimos ambos: tus cabeceras originales y el muro
+      middlewares: 
+        - "muro-seguro"
+        - "security-headers"
+      service: "portainer-service"
+      tls: { certResolver: "letsencrypt" }
+
+    # --- AdGuard Home ---
+    router-adguard:
+      rule: "Host(`adguard.ognir-server.synology.me`)"
+      entryPoints: ["websecure"]
+      middlewares: ["muro-seguro"]
+      service: "adguard-service"
+      tls: { certResolver: "letsencrypt" }
+
+  services:
+    portainer-service:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.178.25:9000"
+    adguard-service:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.178.26:80"
+# ################################################################# #