version: '3.2'

services:
  agent:
    image: portainer/agent
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes
    networks:
      - agent_network
    ports:
      - "9001:9001"
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]
      labels:
        - "traefik.enable=false"        

  portainer:
    image: portainer/portainer-ce
# create (initial) primary endpoint        
    command: -H tcp://tasks.agent:9001 --tlsskipverify
# create (initial) local endpoint        
#    command: -H unix:///var/run/docker.sock
    ports:
      - "9000:9000"
# on AWS cloud9 (urlpreview z IDE mapped to port 8080)
#      - "8080:9000" 
      - "8000:8000"
# local with https self-signed cert      
      - "9443:9443"      
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock    
      - data:/data
    networks:
      - agent_network
      - web
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=web"  
        - "traefik.http.routers.portainer-rt.rule=Host(`domain.tld`)"         
        - "traefik.http.routers.portainer-rt.entrypoints=websecure"  
        - "traefik.http.routers.portainer-rt.service=portainer-sv"          
        - "traefik.http.routers.portainer-rt.tls=true"    
        - "traefik.http.routers.portainer-rt.tls.certresolver=ovh"      
        - "traefik.http.services.portainer-sv.loadbalancer.server.port=9000"        

networks:
  agent_network:
    driver: overlay
    attachable: true
  web:
    external:
      name: web  

volumes:
  data: