services:
  portainer:
    image: portainer/portainer-ce:${TAG:-latest}
    container_name: portainer
    restart: always
    labels:
      - traefik.enable=true
      - traefik.http.routers.portainer.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.docker.network=mgmt
      - traefik.http.services.portainer.loadbalancer.server.port=9000
      - traefik.http.routers.portainer.tls=true
      - traefik.http.routers.portainer.entrypoints=web,websecure
      - traefik.http.routers.portainer.tls.certresolver=cloudflare
      - traefik.http.middlewares.portainer.headers.SSLRedirect=true
      - traefik.http.middlewares.portainer.headers.STSSeconds=315360000
      - traefik.http.middlewares.portainer.headers.browserXSSFilter=true
      - traefik.http.middlewares.portainer.headers.contentTypeNosniff=true
      - traefik.http.middlewares.portainer.headers.forceSTSHeader=true
      - traefik.http.middlewares.portainer.headers.SSLHost=${DOMAIN_NAME}
      - traefik.http.middlewares.portainer.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.portainer.headers.STSPreload=true
      - traefik.http.routers.portainer.middlewares=portainer@docker
    env_file:
      - .env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data
    expose:
      - 9000
    networks:
      - mgmt
networks:
  mgmt:
    external:
      true