networks:
  backend:
    external: true
services:
  portainer:
    image: portainer/portainer-ce:latest
    security_opt:
      - apparmor:unconfined
    container_name: portainer-ce
    ports:
      - 9000:9000
      - 8000:8000
    volumes:
      - /docker/appdata/portainer-ce:/data
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - traefik.enable=true
      - traefik.http.routers.portainer.entrypoints=websecure
      - traefik.http.routers.portainer.rule=Host(`example.domain.com`)
      - traefik.http.routers.portainer.tls=true
      - traefik.http.routers.portainer.tls.certresolver=production
      - traefik.http.services.portainer.loadBalancer.server.port=9000
      - traefik.http.routers.portainer.service=portainer
    networks:
      - backend
    restart: unless-stopped
volumes:
  data: