From e28af4ff1b3981453f0587396150a59ae29d9e24 Mon Sep 17 00:00:00 2001
From: Ognir <tortosaantonio@gmail.com>
Date: Mon, 5 Jan 2026 14:42:13 +0100
Subject: [PATCH] Fix: Portainer restaurado con usuario 1032 y labels de
 Traefik v3

---
 portainer/docker-compose.yml | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)
 mode change 100644 => 100755 portainer/docker-compose.yml

diff --git a/portainer/docker-compose.yml b/portainer/docker-compose.yml
old mode 100644
new mode 100755
index 303c860..93bb439
--- a/portainer/docker-compose.yml
+++ b/portainer/docker-compose.yml
@@ -1,4 +1,14 @@
+# ==============================================================================
+# PORTAINER CE - CONFIGURACIÓN SEGURA PARA OGNIRNAS
+# ==============================================================================
+# - Usuario: 1032 (docker-manager)
+# - Acceso Socket: GID 65538 (Synology Docker Group)
+# - Red: services-internal-net
+# - Middleware: seguridad-general@file
+# ==============================================================================
+
 version: '3.8'
+
 services:
   portainer:
     image: portainer/portainer-ce:latest
@@ -6,24 +16,26 @@ services:
     restart: always
     user: "1032:100"
     group_add:
-      - "65538"
+      - "65538" # Permite al usuario 1032 leer el socket de root
     networks:
       - services-internal-net
-    # Importante: mantenemos los puertos por si falla el proxy, pero Traefik irá por el 9000 interno
+    # Puertos de emergencia (puedes comentarlos si solo usas Traefik)
     ports:
       - "8000:8000"
       - "9443:9443"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - /volume1/docker/configs/portainer:/config
       - /volume1/docker/data/portainer:/data
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)"
       - "traefik.http.routers.portainer.entrypoints=websecure"
       - "traefik.http.routers.portainer.tls=true"
-      - "traefik.http.routers.portainer.tls.certresolver=myresolver" # Cambia 'myresolver' por el nombre que tengas en tu Traefik
+      - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
+      - "traefik.docker.network=services-internal-net"
       - "traefik.http.services.portainer.loadbalancer.server.port=9000"
+      # Importante: El middleware que definimos en la config dinámica
+      - "traefik.http.routers.portainer.middlewares=seguridad-general@file"
 
 networks:
   services-internal-net: