From 3c5976e37f70d70efa0db891478516495e7a9660 Mon Sep 17 00:00:00 2001
From: Ognir <tortosaantonio@gmail.com>
Date: Tue, 6 Jan 2026 00:55:11 +0100
Subject: [PATCH] =?UTF-8?q?STABLE:=20Reconstrucci=C3=B3n=20integral=20de?=
 =?UTF-8?q?=20Traefik=20v3=20y=20Portainer=20con=20seguridad=20reforzada?=
 =?UTF-8?q?=20y=20documentaci=C3=B3n?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 portainer/docker-compose.yml | 35 ++++++++++++++++-------------------
 1 file changed, 16 insertions(+), 19 deletions(-)

diff --git a/portainer/docker-compose.yml b/portainer/docker-compose.yml
index 93bb439..aa31506 100755
--- a/portainer/docker-compose.yml
+++ b/portainer/docker-compose.yml
@@ -1,41 +1,38 @@
 # ==============================================================================
-# PORTAINER CE - CONFIGURACIÓN SEGURA PARA OGNIRNAS
+# OGNIRNAS - PORTAINER CE (GESTIÓN DE CONTENEDORES)
 # ==============================================================================
-# - Usuario: 1032 (docker-manager)
-# - Acceso Socket: GID 65538 (Synology Docker Group)
-# - Red: services-internal-net
-# - Middleware: seguridad-general@file
+# Última revisión: 2026-01-06
+# Propietario: Ognir (UID 1032 / GID 100)
+# NOTA: Sin Auth de Traefik (usa su propio login interno).
 # ==============================================================================
 
-version: '3.8'
+version: "3.9"
 
 services:
   portainer:
     image: portainer/portainer-ce:latest
     container_name: portainer
     restart: always
-    user: "1032:100"
-    group_add:
-      - "65538" # Permite al usuario 1032 leer el socket de root
+    security_opt:
+      - no-new-privileges:true
+    
     networks:
-      - services-internal-net
-    # Puertos de emergencia (puedes comentarlos si solo usas Traefik)
-    ports:
-      - "8000:8000"
-      - "9443:9443"
+      services-internal-net: {}
+
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - /volume1/docker/data/portainer:/data
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro # Conexión al socket para gestión
+      - /volume1/docker/data/portainer:/data         # Datos persistentes
+
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)"
       - "traefik.http.routers.portainer.entrypoints=websecure"
       - "traefik.http.routers.portainer.tls=true"
       - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
-      - "traefik.docker.network=services-internal-net"
       - "traefik.http.services.portainer.loadbalancer.server.port=9000"
-      # Importante: El middleware que definimos en la config dinámica
-      - "traefik.http.routers.portainer.middlewares=seguridad-general@file"
+      # --- MIDDLEWARES (SOLO CABECERAS, SIN AUTH) ---
+      - "traefik.http.routers.portainer.middlewares=security-headers@file"
 
 networks:
   services-internal-net: