67b37b9b2a
Bring up portainer first as the operator console — before nginx-proxy + TLS are wired. Self-signed UI on tcp/9443, edge-agent tunnel on tcp/8000. Once nginx-proxy lands, ports get commented out and access shifts to https://portainer.wbd-rd.nl/ behind the wildcard cert. The :9443 direct access remains as commented config for emergency ops if nginx is down. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
portainer
Docker container management UI — the "operator console" for cloud and edge.
Standalone first-run (cloud)
Bring this up first, before nginx-proxy, so you have a GUI from day 1 to inspect containers, logs, networks, and volumes as the rest of the cloud stack comes online.
cd stacks/portainer
docker compose up -d
Browse https://<cloud-host>:9443 (self-signed cert — accept once). Create the admin user on first visit.
After nginx-proxy is up
Once nginx-proxy + the wildcard cert are working:
- Comment the
ports:block incompose.yml. docker compose down && docker compose up -d(or recreate via cloud/compose.yml include).- Browse
https://portainer.wbd-rd.nl/(real cert, behind nginx).
The direct :9443 access is intentionally retained as commented-out config for emergency ops if nginx goes down.
Edge-agent topology
Port 8000 accepts reverse tunnels from edge sites running the portainer/agent image. The central cloud Portainer then manages every edge Docker host. Agent-side config lives under sites/<plant>/ once edge stacks are wired up.
Networks
- mgmt — Docker management plane
- Docker socket: read-only mount; effectively root-equivalent on the host. Front with Keycloak SSO as soon as auth is wired.
Volumes
portainer-data— Portainer DB (users, environments, stacks, settings)
TODO
- Keycloak OIDC auth (Portainer CE needs a frontend gate; Business Edition has native OIDC if budget allows)
- Edge-agent provisioning workflow per site (agent secret, registration call)
- Disable self-signed
:9443access after nginx-proxy goes live (operational hygiene)