Ognir/docker-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

STABLE: Reconstrucción integral de Traefik v3 y Portainer con seguridad reforzada y documentación

Browse Source
This commit is contained in:
Ognir
2026-01-06 00:55:11 +01:00
parent 4ce8786056
commit 3c5976e37f
1 changed files with 16 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
portainer/docker-compose.yml
View File

@@ -1,41 +1,38 @@
# ==============================================================================
# PORTAINER CE - CONFIGURACIÓN SEGURA PARA OGNIRNAS
# OGNIRNAS - PORTAINER CE (GESTIÓN DE CONTENEDORES)
# ==============================================================================
# - Usuario: 1032 (docker-manager)
# - Acceso Socket: GID 65538 (Synology Docker Group)
# - Red: services-internal-net
# - Middleware: seguridad-general@file
# Última revisión: 2026-01-06
# Propietario: Ognir (UID 1032 / GID 100)
# NOTA: Sin Auth de Traefik (usa su propio login interno).
# ==============================================================================
version: '3.8'
version: "3.9"
services:
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
restart: always
user: "1032:100"
group_add:
- "65538" # Permite al usuario 1032 leer el socket de root
security_opt:
- no-new-privileges:true
networks:
- services-internal-net
# Puertos de emergencia (puedes comentarlos si solo usas Traefik)
ports:
- "8000:8000"
- "9443:9443"
services-internal-net: {}
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /volume1/docker/data/portainer:/data
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro # Conexión al socket para gestión
- /volume1/docker/data/portainer:/data # Datos persistentes
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)"
- "traefik.http.routers.portainer.entrypoints=websecure"
- "traefik.http.routers.portainer.tls=true"
- "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
- "traefik.docker.network=services-internal-net"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
# Importante: El middleware que definimos en la config dinámica
- "traefik.http.routers.portainer.middlewares=seguridad-general@file"
# --- MIDDLEWARES (SOLO CABECERAS, SIN AUTH) ---
- "traefik.http.routers.portainer.middlewares=security-headers@file"
networks:
services-internal-net: