# portainer — container management UI (operator console)
# Networks: mgmt (docker socket plane) + app (nginx-proxy reaches HTTPS upstream)
# Ingress: nginx-proxy → portainer:9443 (self-signed upstream cert) → portainer.wbd-rd.nl
#
# Direct :9443 host access is intentionally NOT published anymore — re-enable
# only for emergency ops by uncommenting the `ports:` block below.

services:
  portainer:
    image: portainer/portainer-ce:2.21.4
    restart: unless-stopped
    networks: [mgmt, app]
    # ports:
    #   - "9443:9443"        # HTTPS UI direct access (emergency ops only)
    #   - "8000:8000"        # Edge-agent reverse tunnel (open when wiring edges)
    volumes:
      - portainer-data:/data
      - /var/run/docker.sock:/var/run/docker.sock:ro

networks:
  mgmt:
  app:

volumes:
  portainer-data: