# portainer

Docker container management UI — the "operator console" for cloud and edge.

## Standalone first-run (cloud)

Bring this up **first**, before nginx-proxy, so you have a GUI from day 1 to inspect containers, logs, networks, and volumes as the rest of the cloud stack comes online.

```bash
cd stacks/portainer
docker compose up -d
```

Browse `https://<cloud-host>:9443` (self-signed cert — accept once). Create the admin user on first visit.

## After nginx-proxy is up

Once nginx-proxy + the wildcard cert are working:

1. Comment the `ports:` block in `compose.yml`.
2. `docker compose down && docker compose up -d` (or recreate via cloud/compose.yml include).
3. Browse `https://portainer.wbd-rd.nl/` (real cert, behind nginx).

The direct `:9443` access is intentionally retained as commented-out config for emergency ops if nginx goes down.

## Edge-agent topology

Port `8000` accepts reverse tunnels from edge sites running the `portainer/agent` image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under `sites/<plant>/` once edge stacks are wired up.

## Networks

- **mgmt** — Docker management plane
- **Docker socket**: read-only mount; *effectively root-equivalent* on the host. Front with Keycloak SSO as soon as auth is wired.

## Volumes

- `portainer-data` — Portainer DB (users, environments, stacks, settings)

## TODO

- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows)
- Edge-agent provisioning workflow per site (agent secret, registration call)
- Disable self-signed `:9443` access after nginx-proxy goes live (operational hygiene)