services:
  portainer:
    image: portainer/portainer-ee:2.33.7
    container_name: portainer
    restart: unless-stopped

    volumes:
      - /opt/portainer/secrets/portainer:/run/secrets/portainer:ro,Z
      - /opt/portainer/secrets/portainer:/run/portainer/portainer:ro,Z
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/portainer/data:/data:Z

    security_opt:
      - label=disable

    networks:
      - proxy

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"

      # 1) UI protegida Authentik
      - "traefik.http.routers.portainer.rule=Host(`portainer.thehomelesssherlock.com`)"
      - "traefik.http.routers.portainer.entrypoints=websecure"
      - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
      - "traefik.http.routers.portainer.middlewares=ths-authentik@docker"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"

      # 2) API/App móvil SIN Authentik, SOLO por VPN (WireGuard)
      - "traefik.http.middlewares.portainer-api-ip.ipallowlist.sourcerange=10.8.0.0/24,172.18.0.1/32"
      - "traefik.http.routers.portainer-direct.rule=Host(`portainer-api.thehomelesssherlock.com`)"
      - "traefik.http.routers.portainer-direct.entrypoints=websecure"
      - "traefik.http.routers.portainer-direct.tls.certresolver=letsencrypt"
      - "traefik.http.routers.portainer-direct.middlewares=portainer-api-ip"
      - "traefik.http.routers.portainer-direct.service=portainer"
      - "traefik.http.routers.portainer-direct.priority=100"

networks:
  proxy:
    external: true