# ==============================================================================
# OGNIRNAS - PORTAINER CE (GESTIÓN DE CONTENEDORES)
# ==============================================================================
# Última revisión: 2026-01-06
# Propietario: Ognir (UID 1032 / GID 100)
# NOTA: Sin Auth de Traefik (usa su propio login interno).
# ==============================================================================

version: "3.9"

services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: always
    security_opt:
      - no-new-privileges:true
    
    networks:
      services-internal-net: {}

    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro # Conexión al socket para gestión
      - /volume1/docker/data/portainer:/data         # Datos persistentes

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)"
      - "traefik.http.routers.portainer.entrypoints=websecure"
      - "traefik.http.routers.portainer.tls=true"
      - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      # --- MIDDLEWARES (SOLO CABECERAS, SIN AUTH) ---
      - "traefik.http.routers.portainer.middlewares=security-headers@file"

networks:
  services-internal-net:
    external: true