# Docker Compose for Portainer with Traefik Labels
#
# This configuration deploys the Portainer Community Edition container
# and uses Docker labels to integrate it with a running Traefik instance.
#
version: '3.8'

services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    # The command tells Portainer to manage the local Docker environment.
    command: -H unix:///var/run/docker.sock
    ports:
    - 8000:8000/tcp
    - 9443:9443/tcp
    volumes:
      # Mount the Docker socket to allow Portainer to manage containers.
      - /var/run/docker.sock:/var/run/docker.sock
      # A named volume for Portainer's persistent data.
      - /docker/portainer:/data
    networks:
      # Connect Portainer to your existing Traefik proxy network.
      # IMPORTANT: Replace 'proxy' with the actual name of your Traefik network.
      - proxy
    labels:
      traefik.enable: 'true'
      traefik.docker.network: proxy
      traefik.http.routers.portainer.rule: Host(`edgeweb.kaspers.us`)
      traefik.http.routers.portainer.entrypoints: 'websecure'
      traefik.http.routers.portainer.tls.certresolver: 'letsencrypt'
      traefik.http.services.portainer.loadbalancer.server.port: '9443'
      traefik.http.services.portainer.loadbalancer.server.scheme: 'https'
      traefik.http.routers.portainer.tls: 'true'

      # --- Authentik Middleware (Optional) ---
      # If you have Authentik configured as a middleware in Traefik,
      # uncomment the line below to protect the Portainer dashboard.
      # Replace 'authentik@docker' if your middleware has a different name.
      # - "traefik.http.routers.portainer.middlewares=authentik@docker"


networks:
  # Define the external network created by your main Traefik stack.
  # This tells Docker Compose not to create a new network.
  proxy:
    external: true