feat(portainer): standalone deploy with published 9443 for early ops access

Bring up portainer first as the operator console — before nginx-proxy + TLS
are wired. Self-signed UI on tcp/9443, edge-agent tunnel on tcp/8000.

Once nginx-proxy lands, ports get commented out and access shifts to
https://portainer.wbd-rd.nl/ behind the wildcard cert. The :9443 direct
access remains as commented config for emergency ops if nginx is down.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stacks/portainer/README.md

@@ -1,8 +1,43 @@
 # portainer
 
-Docker container management UI. Used at both cloud and edge.
+Docker container management UI — the "operator console" for cloud and edge.
 
-- **Network**: `mgmt`
-- **Docker socket**: mounted read-only (`/var/run/docker.sock`) — effectively root-equivalent on the host. Restrict access via nginx-proxy + Keycloak.
-- **Volume**: `portainer-data`
-- **TODO**: edge-agent topology — each edge runs a portainer-agent that registers back to cloud-central portainer
+## Standalone first-run (cloud)
+
+Bring this up **first**, before nginx-proxy, so you have a GUI from day 1 to inspect containers, logs, networks, and volumes as the rest of the cloud stack comes online.
+
+```bash
+cd stacks/portainer
+docker compose up -d
+```
+
+Browse `https://<cloud-host>:9443` (self-signed cert — accept once). Create the admin user on first visit.
+
+## After nginx-proxy is up
+
+Once nginx-proxy + the wildcard cert are working:
+
+1. Comment the `ports:` block in `compose.yml`.
+2. `docker compose down && docker compose up -d` (or recreate via cloud/compose.yml include).
+3. Browse `https://portainer.wbd-rd.nl/` (real cert, behind nginx).
+
+The direct `:9443` access is intentionally retained as commented-out config for emergency ops if nginx goes down.
+
+## Edge-agent topology
+
+Port `8000` accepts reverse tunnels from edge sites running the `portainer/agent` image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under `sites/<plant>/` once edge stacks are wired up.
+
+## Networks
+
+- **mgmt** — Docker management plane
+- **Docker socket**: read-only mount; *effectively root-equivalent* on the host. Front with Keycloak SSO as soon as auth is wired.
+
+## Volumes
+
+- `portainer-data` — Portainer DB (users, environments, stacks, settings)
+
+## TODO
+
+- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows)
+- Edge-agent provisioning workflow per site (agent secret, registration call)
+- Disable self-signed `:9443` access after nginx-proxy goes live (operational hygiene)

stacks/portainer/compose.yml

@@ -1,15 +1,21 @@
-# portainer — container management UI
+# portainer — container management UI (operator console)
 # Networks: mgmt
+#
+# Standalone deploy publishes 9443 directly so you have a GUI from day 1,
+# before nginx-proxy + TLS are wired up. Once nginx-proxy is up, comment
+# the `ports:` block and access via https://portainer.wbd-rd.nl/.
 
 services:
   portainer:
     image: portainer/portainer-ce:2.21.4
     restart: unless-stopped
     networks: [mgmt]
+    ports:
+      - "9443:9443"          # HTTPS UI, self-signed cert (early-stage direct access)
+      - "8000:8000"          # Edge-agent reverse tunnel (for edge sites)
     volumes:
       - portainer-data:/data
       - /var/run/docker.sock:/var/run/docker.sock:ro
-    # TODO: edge-agent on each site connected back to this central portainer
 
 networks:
   mgmt: