From f22842052ae8a6040669bd38fbcbd21e3b8464ac Mon Sep 17 00:00:00 2001 From: Eduardo David Paredes Vara Date: Tue, 17 Feb 2026 09:16:59 +0000 Subject: [PATCH] portainer wrn fix --- docker-compose.yml | 53 +++++++++++++++++----------------------------- 1 file changed, 20 insertions(+), 33 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 8660512..2ea645d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,24 +1,15 @@ services: portainer: - image: ${PORTAINER_IMAGE:-portainer/portainer-ce:latest} + image: portainer/portainer-ee:2.33.7 container_name: portainer restart: unless-stopped - env_file: - - .env - volumes: - # Clave de cifrado: misma clave montada en las dos rutas - - ${PORTAINER_SECRET_PATH:-/opt/portainer/secrets/portainer}:/run/secrets/portainer:ro,Z - - ${PORTAINER_SECRET_PATH:-/opt/portainer/secrets/portainer}:/run/portainer/portainer:ro,Z - - # Socket de Docker (NO usar :Z aquí) + - /opt/portainer/secrets/portainer:/run/secrets/portainer:ro,Z + - /opt/portainer/secrets/portainer:/run/portainer/portainer:ro,Z - /var/run/docker.sock:/var/run/docker.sock:ro + - /opt/portainer/data:/data:Z - # Datos de Portainer (DB cifrada incluida) - - ${PORTAINER_DATA_PATH:-/opt/portainer/data}:/data:Z - - # SELinux: evita bloqueos con docker.sock security_opt: - label=disable @@ -26,28 +17,24 @@ services: - proxy labels: - traefik.enable: "true" - traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK:-proxy}" + - "traefik.enable=true" + - "traefik.docker.network=proxy" - ############################ - # 1) UI protegida (ej: SSO) - ############################ - traefik.http.routers.portainer.rule: "Host(`${PORTAINER_DOMAIN:-portainer.example.com}`)" - traefik.http.routers.portainer.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE:-websecure}" - traefik.http.routers.portainer.tls.certresolver: "${TRAEFIK_CERTRESOLVER:-letsencrypt}" - traefik.http.routers.portainer.middlewares: "${TRAEFIK_AUTH_MIDDLEWARE:-ths-authentik@docker}" - traefik.http.services.portainer.loadbalancer.server.port: "${PORTAINER_HTTP_PORT:-9000}" + # 1) UI protegida Authentik + - "traefik.http.routers.portainer.rule=Host(`portainer.thehomelesssherlock.com`)" + - "traefik.http.routers.portainer.entrypoints=websecure" + - "traefik.http.routers.portainer.tls.certresolver=letsencrypt" + - "traefik.http.routers.portainer.middlewares=ths-authentik@docker" + - "traefik.http.services.portainer.loadbalancer.server.port=9000" - ######################################################### - # 2) API/App móvil SIN SSO, restringida por IP (ej: VPN) - ######################################################### - traefik.http.middlewares.portainer-api-ip.ipwhitelist.sourcerange: "${PORTAINER_API_IP_WHITELIST:-10.8.0.0/24,172.18.0.1/32}" - traefik.http.routers.portainer-direct.rule: "Host(`${PORTAINER_API_DOMAIN:-portainer-api.example.com}`)" - traefik.http.routers.portainer-direct.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE:-websecure}" - traefik.http.routers.portainer-direct.tls.certresolver: "${TRAEFIK_CERTRESOLVER:-letsencrypt}" - traefik.http.routers.portainer-direct.middlewares: "portainer-api-ip" - traefik.http.routers.portainer-direct.service: "portainer" - traefik.http.routers.portainer-direct.priority: "100" + # 2) API/App móvil SIN Authentik, SOLO por VPN (WireGuard) + - "traefik.http.middlewares.portainer-api-ip.ipallowlist.sourcerange=10.8.0.0/24,172.18.0.1/32" + - "traefik.http.routers.portainer-direct.rule=Host(`portainer-api.thehomelesssherlock.com`)" + - "traefik.http.routers.portainer-direct.entrypoints=websecure" + - "traefik.http.routers.portainer-direct.tls.certresolver=letsencrypt" + - "traefik.http.routers.portainer-direct.middlewares=portainer-api-ip" + - "traefik.http.routers.portainer-direct.service=portainer" + - "traefik.http.routers.portainer-direct.priority=100" networks: proxy: