stacks/portainer/README.md

# portainer

Docker container management UI — the "operator console" for cloud and edge.

## Standalone first-run (cloud)

Bring this up **first**, before nginx-proxy, so you have a GUI from day 1 to inspect containers, logs, networks, and volumes as the rest of the cloud stack comes online.

```bash
cd stacks/portainer
docker compose up -d
```

Browse `https://<cloud-host>:9443` (self-signed cert — accept once). Create the admin user on first visit.

## After nginx-proxy is up

Once nginx-proxy + the wildcard cert are working:

1. Comment the `ports:` block in `compose.yml`.
2. `docker compose down && docker compose up -d` (or recreate via cloud/compose.yml include).
3. Browse `https://portainer.wbd-rd.nl/` (real cert, behind nginx).

The direct `:9443` access is intentionally retained as commented-out config for emergency ops if nginx goes down.

## Edge-agent topology

Port `8000` accepts reverse tunnels from edge sites running the `portainer/agent` image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under `sites/<plant>/` once edge stacks are wired up.

## Networks

- **mgmt** — Docker management plane
- **Docker socket**: read-only mount; *effectively root-equivalent* on the host. Front with Keycloak SSO as soon as auth is wired.

## Volumes

- `portainer-data` — Portainer DB (users, environments, stacks, settings)

## TODO

- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows)
- Edge-agent provisioning workflow per site (agent secret, registration call)
- Disable self-signed `:9443` access after nginx-proxy goes live (operational hygiene)
scaffold: hub-and-spoke layout, 4-network topology, 13 stack stubs Initial structure for R&D infrastructure: - stacks/ — 13 reusable, runnable stack stubs (kebab-case) cloud-and-edge: node-red, influxdb, grafana, keycloak, portainer, nginx-proxy, mqtt, postfix cloud-only: wireguard-server, gitea, jenkins, sql (postgres stub) edge-only: wireguard-client - cloud/ — single central hub composition with 4 networks (edge, app, data internal, mgmt) and include: stubs - sites/ — per-plant edge folders (template README only for now) - docs/architecture.md — hub-and-spoke + ingress + segmentation rationale Network model: only nginx-proxy (80/443/8883) and wireguard-server (51820/udp) publish ports on the cloud host. Edge nginx publishes 80/443 on plant-LAN interface only. MQTT cloud-side via nginx stream proxy; MQTT edge-side internal-only; Postfix outbound-only. OT layer (OPCUA, PLCs) is out of scope for this repo. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 12:37:59 +02:00			`# portainer`

feat(portainer): standalone deploy with published 9443 for early ops access Bring up portainer first as the operator console — before nginx-proxy + TLS are wired. Self-signed UI on tcp/9443, edge-agent tunnel on tcp/8000. Once nginx-proxy lands, ports get commented out and access shifts to https://portainer.wbd-rd.nl/ behind the wildcard cert. The :9443 direct access remains as commented config for emergency ops if nginx is down. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 13:35:20 +02:00			`Docker container management UI — the "operator console" for cloud and edge.`
scaffold: hub-and-spoke layout, 4-network topology, 13 stack stubs Initial structure for R&D infrastructure: - stacks/ — 13 reusable, runnable stack stubs (kebab-case) cloud-and-edge: node-red, influxdb, grafana, keycloak, portainer, nginx-proxy, mqtt, postfix cloud-only: wireguard-server, gitea, jenkins, sql (postgres stub) edge-only: wireguard-client - cloud/ — single central hub composition with 4 networks (edge, app, data internal, mgmt) and include: stubs - sites/ — per-plant edge folders (template README only for now) - docs/architecture.md — hub-and-spoke + ingress + segmentation rationale Network model: only nginx-proxy (80/443/8883) and wireguard-server (51820/udp) publish ports on the cloud host. Edge nginx publishes 80/443 on plant-LAN interface only. MQTT cloud-side via nginx stream proxy; MQTT edge-side internal-only; Postfix outbound-only. OT layer (OPCUA, PLCs) is out of scope for this repo. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 12:37:59 +02:00
feat(portainer): standalone deploy with published 9443 for early ops access Bring up portainer first as the operator console — before nginx-proxy + TLS are wired. Self-signed UI on tcp/9443, edge-agent tunnel on tcp/8000. Once nginx-proxy lands, ports get commented out and access shifts to https://portainer.wbd-rd.nl/ behind the wildcard cert. The :9443 direct access remains as commented config for emergency ops if nginx is down. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 13:35:20 +02:00			`## Standalone first-run (cloud)`

			`Bring this up first, before nginx-proxy, so you have a GUI from day 1 to inspect containers, logs, networks, and volumes as the rest of the cloud stack comes online.`

			```bash
			`cd stacks/portainer`
			`docker compose up -d`
			```

			Browse `https://<cloud-host>:9443` (self-signed cert — accept once). Create the admin user on first visit.

			`## After nginx-proxy is up`

			`Once nginx-proxy + the wildcard cert are working:`

			1. Comment the `ports:` block in `compose.yml`.
			2. `docker compose down && docker compose up -d` (or recreate via cloud/compose.yml include).
			3. Browse `https://portainer.wbd-rd.nl/` (real cert, behind nginx).

			The direct `:9443` access is intentionally retained as commented-out config for emergency ops if nginx goes down.

			`## Edge-agent topology`

			Port `8000` accepts reverse tunnels from edge sites running the `portainer/agent` image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under `sites/<plant>/` once edge stacks are wired up.

			`## Networks`

			`- mgmt — Docker management plane`
			`- Docker socket: read-only mount; effectively root-equivalent on the host. Front with Keycloak SSO as soon as auth is wired.`

			`## Volumes`

			- `portainer-data` — Portainer DB (users, environments, stacks, settings)

			`## TODO`

			`- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows)`
			`- Edge-agent provisioning workflow per site (agent secret, registration call)`
			- Disable self-signed `:9443` access after nginx-proxy goes live (operational hygiene)