From 67b37b9b2a06cf8566e73bbb8ff18602b82a4c5b Mon Sep 17 00:00:00 2001 From: znetsixe Date: Thu, 21 May 2026 13:35:20 +0200 Subject: [PATCH] feat(portainer): standalone deploy with published 9443 for early ops access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bring up portainer first as the operator console — before nginx-proxy + TLS are wired. Self-signed UI on tcp/9443, edge-agent tunnel on tcp/8000. Once nginx-proxy lands, ports get commented out and access shifts to https://portainer.wbd-rd.nl/ behind the wildcard cert. The :9443 direct access remains as commented config for emergency ops if nginx is down. Co-Authored-By: Claude Opus 4.7 (1M context) --- stacks/portainer/README.md | 45 ++++++++++++++++++++++++++++++++---- stacks/portainer/compose.yml | 10 ++++++-- 2 files changed, 48 insertions(+), 7 deletions(-) diff --git a/stacks/portainer/README.md b/stacks/portainer/README.md index 5a9bf63..762cddc 100644 --- a/stacks/portainer/README.md +++ b/stacks/portainer/README.md @@ -1,8 +1,43 @@ # portainer -Docker container management UI. Used at both cloud and edge. +Docker container management UI — the "operator console" for cloud and edge. -- **Network**: `mgmt` -- **Docker socket**: mounted read-only (`/var/run/docker.sock`) — effectively root-equivalent on the host. Restrict access via nginx-proxy + Keycloak. -- **Volume**: `portainer-data` -- **TODO**: edge-agent topology — each edge runs a portainer-agent that registers back to cloud-central portainer +## Standalone first-run (cloud) + +Bring this up **first**, before nginx-proxy, so you have a GUI from day 1 to inspect containers, logs, networks, and volumes as the rest of the cloud stack comes online. + +```bash +cd stacks/portainer +docker compose up -d +``` + +Browse `https://:9443` (self-signed cert — accept once). Create the admin user on first visit. + +## After nginx-proxy is up + +Once nginx-proxy + the wildcard cert are working: + +1. Comment the `ports:` block in `compose.yml`. +2. `docker compose down && docker compose up -d` (or recreate via cloud/compose.yml include). +3. Browse `https://portainer.wbd-rd.nl/` (real cert, behind nginx). + +The direct `:9443` access is intentionally retained as commented-out config for emergency ops if nginx goes down. + +## Edge-agent topology + +Port `8000` accepts reverse tunnels from edge sites running the `portainer/agent` image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under `sites//` once edge stacks are wired up. + +## Networks + +- **mgmt** — Docker management plane +- **Docker socket**: read-only mount; *effectively root-equivalent* on the host. Front with Keycloak SSO as soon as auth is wired. + +## Volumes + +- `portainer-data` — Portainer DB (users, environments, stacks, settings) + +## TODO + +- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows) +- Edge-agent provisioning workflow per site (agent secret, registration call) +- Disable self-signed `:9443` access after nginx-proxy goes live (operational hygiene) diff --git a/stacks/portainer/compose.yml b/stacks/portainer/compose.yml index 89917c8..776cc64 100644 --- a/stacks/portainer/compose.yml +++ b/stacks/portainer/compose.yml @@ -1,15 +1,21 @@ -# portainer — container management UI +# portainer — container management UI (operator console) # Networks: mgmt +# +# Standalone deploy publishes 9443 directly so you have a GUI from day 1, +# before nginx-proxy + TLS are wired up. Once nginx-proxy is up, comment +# the `ports:` block and access via https://portainer.wbd-rd.nl/. services: portainer: image: portainer/portainer-ce:2.21.4 restart: unless-stopped networks: [mgmt] + ports: + - "9443:9443" # HTTPS UI, self-signed cert (early-stage direct access) + - "8000:8000" # Edge-agent reverse tunnel (for edge sites) volumes: - portainer-data:/data - /var/run/docker.sock:/var/run/docker.sock:ro - # TODO: edge-agent on each site connected back to this central portainer networks: mgmt: