services:
  portainer:
    env_file: .env
    # if behind proxy
#    command: --trusted-origins=portainer.vdglab.net
    # without proxy
    #command: --sslcert /certs/gmolab.net.crt --sslkey /certs/gmolab.net.key
    #command: --sslcert /certs/gmotech.net.crt --sslkey /certs/gmotech.net.key
    image: portainer/portainer-ee:latest
    networks:
      - traefik-net  
    container_name: portainer
#    ports:
      # if behind proxy
#      - 9000:9000 
      # without proxy
      #- 9443:9443
    volumes:
      # without proxy
      #- /home/docker/certs:/certs    
      - /home/docker/portainer/data:/data
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.rule=Host(`${TFK_HOST}`)"
      - "traefik.docker.network=traefik-net"      
      - "traefik.http.routers.portainer.entrypoints=websecure"
      - "traefik.http.routers.portainer.tls=true"
#      # Facultatif mais propre : forcer l'usage du cert SSL défini dans le fichier dynamique
      - "traefik.http.routers.portainer.tls.options=default"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"
    restart: always
networks:
  traefik-net:
    external: true