From 49dc08063266c78bd4b6c767d047484067566a20 Mon Sep 17 00:00:00 2001
From: Eduardo David Paredes Vara <paredes1516@gmail.com>
Date: Wed, 3 Dec 2025 15:53:20 +0000
Subject: [PATCH] Portainer base

---
 .env                      | 30 +++++++++++++++++++++
 Traefik/stack.env         |  2 +-
 docker-compose.9443.yml   |  7 +++++
 docker-compose.yml        | 55 +++++++++++++++++++++++++++++++++++++++
 ruleta/docker-compose.yml |  2 +-
 5 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100644 .env
 create mode 100644 docker-compose.9443.yml
 create mode 100644 docker-compose.yml

diff --git a/.env b/.env
new file mode 100644
index 0000000..8b6f64d
--- /dev/null
+++ b/.env
@@ -0,0 +1,30 @@
+##### Portainer #####
+# Por defecto se usa Portainer CE (definido en el docker-compose)
+# Si quieres usar Portainer EE, descomenta y ajusta esta línea:
+# PORTAINER_IMAGE=portainer/portainer-ee:2.33.5
+
+# Rutas (cámbialas si no quieres /opt/...)
+# PORTAINER_SECRET_PATH=/opt/portainer/secrets/portainer
+# PORTAINER_DATA_PATH=/opt/portainer/data
+# PORTAINER_HTTP_PORT=9000
+
+##### Traefik / dominios #####
+# Nombre de la red de Docker que usa Traefik
+# TRAEFIK_DOCKER_NETWORK=proxy
+
+# Nombre del entrypoint HTTPS en Traefik
+# TRAEFIK_ENTRYPOINT_SECURE=websecure
+
+# Nombre del certresolver de Let's Encrypt
+# TRAEFIK_CERTRESOLVER=letsencrypt
+
+# Middleware de autenticación (SSO, etc.)
+# TRAEFIK_AUTH_MIDDLEWARE=authentik@docker
+
+# Dominios de ejemplo (cámbialos por los tuyos)
+# PORTAINER_DOMAIN=portainer.example.com
+# PORTAINER_API_DOMAIN=portainer-api.example.com
+
+# Rangos IP permitidos para la API directa (ej: red VPN + host)
+# PORTAINER_API_IP_WHITELIST=10.8.0.0/24,172.18.0.1/32
+
diff --git a/Traefik/stack.env b/Traefik/stack.env
index 614f878..7d15f46 100644
--- a/Traefik/stack.env
+++ b/Traefik/stack.env
@@ -2,7 +2,7 @@
 TRAEFIK_IMAGE=traefik:v3.1
 TRAEFIK_LOG_LEVEL=INFO
 TRAEFIK_DOCKER_NETWORK=proxy
-TRAEFIK_ACME_EMAIL=lets.encrypt@thehomelesssherlock.com
+TRAEFIK_ACME_EMAIL=lets.encrypt@example.com
 TRAEFIK_ACME_STORAGE=/letsencrypt/acme.json
 TRAEFIK_HTTP_PORT=80
 TRAEFIK_HTTPS_PORT=443
diff --git a/docker-compose.9443.yml b/docker-compose.9443.yml
new file mode 100644
index 0000000..9b3ebf4
--- /dev/null
+++ b/docker-compose.9443.yml
@@ -0,0 +1,7 @@
+services:
+  portainer:
+    ports:
+      - "9443:9443"
+      # Si quisieras también el edge:
+      # - "8000:8000"
+
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..dd87b5e
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,55 @@
+services:
+  portainer:
+    image: ${PORTAINER_IMAGE:-portainer/portainer-ce:latest}
+    container_name: portainer
+    restart: unless-stopped
+
+    env_file:
+      - .env
+
+    volumes:
+      # Clave de cifrado: misma clave montada en las dos rutas
+      - ${PORTAINER_SECRET_PATH:-/opt/portainer/secrets/portainer}:/run/secrets/portainer:ro,Z
+      - ${PORTAINER_SECRET_PATH:-/opt/portainer/secrets/portainer}:/run/portainer/portainer:ro,Z
+
+      # Socket de Docker (NO usar :Z aquí)
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+      # Datos de Portainer (DB cifrada incluida)
+      - ${PORTAINER_DATA_PATH:-/opt/portainer/data}:/data:Z
+
+    # SELinux: evita bloqueos con docker.sock
+    security_opt:
+      - label=disable
+
+    networks:
+      - proxy
+
+    labels:
+      traefik.enable: "true"
+      traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK:-proxy}"
+
+      ############################
+      # 1) UI protegida (ej: SSO)
+      ############################
+      traefik.http.routers.portainer.rule: "Host(`${PORTAINER_DOMAIN:-portainer.example.com}`)"
+      traefik.http.routers.portainer.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE:-websecure}"
+      traefik.http.routers.portainer.tls.certresolver: "${TRAEFIK_CERTRESOLVER:-letsencrypt}"
+      traefik.http.routers.portainer.middlewares: "${TRAEFIK_AUTH_MIDDLEWARE:-authentik@docker}"
+      traefik.http.services.portainer.loadbalancer.server.port: "${PORTAINER_HTTP_PORT:-9000}"
+
+      #########################################################
+      # 2) API/App móvil SIN SSO, restringida por IP (ej: VPN)
+      #########################################################
+      traefik.http.middlewares.portainer-api-ip.ipwhitelist.sourcerange: "${PORTAINER_API_IP_WHITELIST:-10.8.0.0/24,172.18.0.1/32}"
+      traefik.http.routers.portainer-direct.rule: "Host(`${PORTAINER_API_DOMAIN:-portainer-api.example.com}`)"
+      traefik.http.routers.portainer-direct.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE:-websecure}"
+      traefik.http.routers.portainer-direct.tls.certresolver: "${TRAEFIK_CERTRESOLVER:-letsencrypt}"
+      traefik.http.routers.portainer-direct.middlewares: "portainer-api-ip"
+      traefik.http.routers.portainer-direct.service: "portainer"
+      traefik.http.routers.portainer-direct.priority: "100"
+
+networks:
+  proxy:
+    external: true
+
diff --git a/ruleta/docker-compose.yml b/ruleta/docker-compose.yml
index f941790..c101688 100644
--- a/ruleta/docker-compose.yml
+++ b/ruleta/docker-compose.yml
@@ -22,7 +22,7 @@ services:
 
       # ---------------------------
       # 1) Router EXISTENTE (subdominio)
-      # https://ruleta.thehomelesssherlock.com
+      # https://ruleta.example.com
       # ---------------------------
       traefik.http.routers.ruleta-sub.rule: "Host(`${RULETA_SUBDOMAIN}`)"
       traefik.http.routers.ruleta-sub.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"