Ognir/docker-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

STABLE: Reconstrucción integral de Traefik v3 y Portainer con seguridad reforzada y documentación

Browse Source
This commit is contained in:
Ognir
2026-01-06 00:55:11 +01:00
parent 4ce8786056
commit 3c5976e37f
1 changed files with 16 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
portainer/docker-compose.yml
View File

@@ -1,41 +1,38 @@
# ============================================================================== # ==============================================================================
# PORTAINER CE - CONFIGURACIÓN SEGURA PARA OGNIRNAS # OGNIRNAS - PORTAINER CE (GESTIÓN DE CONTENEDORES)
# ============================================================================== # ==============================================================================
# - Usuario: 1032 (docker-manager) # Última revisión: 2026-01-06
# - Acceso Socket: GID 65538 (Synology Docker Group) # Propietario: Ognir (UID 1032 / GID 100)
# - Red: services-internal-net # NOTA: Sin Auth de Traefik (usa su propio login interno).
# - Middleware: seguridad-general@file
# ============================================================================== # ==============================================================================
version: '3.8' version: "3.9"
services: services:
portainer: portainer:
image: portainer/portainer-ce:latest image: portainer/portainer-ce:latest
container_name: portainer container_name: portainer
restart: always restart: always
user: "1032:100" security_opt:
group_add: - no-new-privileges:true
- "65538" # Permite al usuario 1032 leer el socket de root
networks: networks:
- services-internal-net services-internal-net: {}
# Puertos de emergencia (puedes comentarlos si solo usas Traefik)
ports:
- "8000:8000"
- "9443:9443"
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /etc/localtime:/etc/localtime:ro
- /volume1/docker/data/portainer:/data - /var/run/docker.sock:/var/run/docker.sock:ro # Conexión al socket para gestión
- /volume1/docker/data/portainer:/data # Datos persistentes
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)" - "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)"
- "traefik.http.routers.portainer.entrypoints=websecure" - "traefik.http.routers.portainer.entrypoints=websecure"
- "traefik.http.routers.portainer.tls=true" - "traefik.http.routers.portainer.tls=true"
- "traefik.http.routers.portainer.tls.certresolver=letsencrypt" - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
- "traefik.docker.network=services-internal-net"
- "traefik.http.services.portainer.loadbalancer.server.port=9000" - "traefik.http.services.portainer.loadbalancer.server.port=9000"
# Importante: El middleware que definimos en la config dinámica # --- MIDDLEWARES (SOLO CABECERAS, SIN AUTH) ---
- "traefik.http.routers.portainer.middlewares=seguridad-general@file" - "traefik.http.routers.portainer.middlewares=security-headers@file"
networks: networks:
services-internal-net: services-internal-net: