# Example: Internal-only service (Portainer)
# Accessible only via Tailscale/VPN

version: "3.8"

networks:
  services:
    external: true

volumes:
  portainer-data:

services:
  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    restart: unless-stopped
    networks:
      - services
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - portainer-data:/data
    labels:
      - "traefik.enable=true"
      # Internal entrypoint only - NOT exposed to internet
      - "traefik.http.routers.portainer.rule=Host(`docker.local.lemonlink.eu`)"
      - "traefik.http.routers.portainer.entrypoints=internal"
      - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
      # Optional: Skip Authelia for Portainer if it has its own auth
      # Or keep it for extra security
      - "traefik.http.routers.portainer.middlewares=authelia@docker"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"