version: '3'

services:
  portainer:
    image: portainer/portainer-ce:latest
    pull_policy: always
    container_name: portainer
    restart: always
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 9000:9000
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
#      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /dockdata/portainer/data:/data
    labels:
      - "traefik.enable=true"
#      - "traefik.http.routers.portainer.entrypoints=web"
#      - "traefik.http.routers.portainer.rule=Host(`portainer.domain.tld`)"
#      - "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https"
#      - "traefik.http.routers.portainer.middlewares=portainer-https-redirect"
      - "traefik.http.routers.portainer-secure.entrypoints=websecure"
      - "traefik.http.routers.portainer-secure.rule=Host(`portainer.domain.tld`)"
      - "traefik.http.routers.portainer-secure.tls=true"
      - "traefik.http.routers.portainer-secure.tls.certresolver=production"
#      - "traefik.http.routers.portainer.service=portainer"
#      - "traefik.http.routers.portainer-secure.service=portainer"
      - "traefik.http.services.portainer-secure.loadbalancer.server.port=9000"
      - "traefik.http.routers.portainer-secure.middlewares=default-whitelist@file"
      - "traefik.docker.network=proxy"

  portainer_agent:
    image: portainer/agent:latest
    pull_policy: always
    container_name: portainer_agent
    restart: always
    networks:
      - proxy
    ports:
      - 9001:9001
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro

networks:
  proxy:
    external: true