# ==============================================================================
# PORTAINER CE - CONFIGURACIÓN SEGURA PARA OGNIRNAS
# ==============================================================================
# - Usuario: 1032 (docker-manager)
# - Acceso Socket: GID 65538 (Synology Docker Group)
# - Red: services-internal-net
# - Middleware: seguridad-general@file
# ==============================================================================

version: '3.8'

services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: always
    user: "1032:100"
    group_add:
      - "65538" # Permite al usuario 1032 leer el socket de root
    networks:
      - services-internal-net
    # Puertos de emergencia (puedes comentarlos si solo usas Traefik)
    ports:
      - "8000:8000"
      - "9443:9443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /volume1/docker/data/portainer:/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`portainer.ognir-server.synology.me`)"
      - "traefik.http.routers.portainer.entrypoints=websecure"
      - "traefik.http.routers.portainer.tls=true"
      - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
      - "traefik.docker.network=services-internal-net"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
      # Importante: El middleware que definimos en la config dinámica
      - "traefik.http.routers.portainer.middlewares=seguridad-general@file"

networks:
  services-internal-net:
    external: true