# portainer

Docker container management UI — the "operator console" for cloud and edge.

## Access

Portainer ingresses through nginx-proxy: `https://ops.wbd-rd.nl/`. No host port is published by default.

For emergency ops (nginx down, etc.), uncomment the `ports:` block in `compose.yml` and `docker compose up -d portainer` to expose `:9443` and `:8000` directly.

## First-run admin

On first visit, Portainer prompts for an admin username and password. Use a long random password; this account is break-glass — your daily login should come via Keycloak OIDC once that gate is wired (see TODO).

## Edge-agent topology

Port `8000` accepts reverse tunnels from edge sites running the `portainer/agent` image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under `sites/<plant>/` once edge stacks are wired up.

## Networks

- **mgmt** — Docker management plane
- **Docker socket**: read-only mount; *effectively root-equivalent* on the host. Front with Keycloak SSO as soon as auth is wired.

## Volumes

- `portainer-data` — Portainer DB (users, environments, stacks, settings)

## TODO

- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows)
- Edge-agent provisioning workflow per site (agent secret, registration call)
- Disable self-signed `:9443` access after nginx-proxy goes live (operational hygiene)