container: selfhosted registry (#512)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: #512
This commit is contained in:
Michael Grote 2023-04-20 14:38:30 +02:00
parent 9868d6e2fd
commit 3d28646e1b
11 changed files with 116 additions and 13 deletions

View file

@ -3,7 +3,7 @@ services:
apt-cacher-ng: apt-cacher-ng:
container_name: apt-cacher-ng container_name: apt-cacher-ng
restart: always restart: always
image: quotengrote/apt-cacher-ng:master image: registry.mgrote.net/apt-cacher-ng:master
ports: ports:
- "9999:9999" - "9999:9999"
volumes: volumes:

View file

@ -18,7 +18,7 @@ services:
- '444:443' - '444:443'
restart: always restart: always
container_name: drone-server container_name: drone-server
image: 'drone/drone:latest' image: 'drone/drone:2'
networks: networks:
- intern - intern
labels: labels:
@ -43,7 +43,8 @@ services:
networks: networks:
- intern - intern
labels: labels:
- com.centurylinklabs.watchtower.enable=true com.centurylinklabs.watchtower.enable: true
com.centurylinklabs.watchtower.depends-on: drone-server
######## Volumes ######## ######## Volumes ########
volumes: volumes:

View file

@ -63,9 +63,14 @@ services:
subtitle: "CI/CD" subtitle: "CI/CD"
- name: "httpd" - name: "httpd"
logo: "assets/icons/roundcube.png" logo: "assets/icons/roundcube.png"
url: " http://docker10.grote.lan:3344" url: "http://docker10.grote.lan:3344"
target: "_blank" target: "_blank"
subtitle: "Package-Registry" subtitle: "Package-Registry"
- name: "Container Registry"
logo: "assets/icons/hastebin.png"
url: "https://registry.mgrote.net/ui/index.html"
target: "_blank"
subtitle: "Container-Registry"
- name: "Infra" - name: "Infra"
icon: "fas fa-cloud" icon: "fas fa-cloud"

View file

@ -14,7 +14,7 @@ services:
python-api-server: python-api-server:
container_name: httpd-api container_name: httpd-api
image: quotengrote/python-api-server:latest image: registry.mgrote.net/python-api-server:latest
restart: always restart: always
ports: ports:
- "5040:5000" - "5040:5000"

View file

@ -58,7 +58,7 @@ services:
MF_API_URL: https://miniflux.mgrote.net/v1 MF_API_URL: https://miniflux.mgrote.net/v1
MF_SLEEP: 600 MF_SLEEP: 600
#MF_DEBUG: 1 #MF_DEBUG: 1
image: quotengrote/miniflux-filter:latest image: registry.mgrote.net/miniflux-filter:latest
volumes: volumes:
- ./filter.txt:/data/filter.txt - ./filter.txt:/data/filter.txt
networks: networks:

View file

@ -2,7 +2,7 @@ version: '3'
services: services:
munin: munin:
container_name: "munin-master-prod" container_name: "munin-master-prod"
image: quotengrote/munin-server:master image: registry.mgrote.net/munin-server:master
restart: always restart: always
environment: environment:
MAILCONTACT: michael.grote@posteo.de MAILCONTACT: michael.grote@posteo.de

View file

@ -3,7 +3,7 @@ services:
oxidized: oxidized:
restart: always restart: always
container_name: "oxidized" container_name: "oxidized"
image: oxidized/oxidized:latest # ist auf lokal gebautes Image gesetzt, nach https://github.com/ytti/oxidized/pull/2726 kann es wieder auf latest gesetzt werden image: oxidized/oxidized:latest
ports: ports:
- 8888:8888/tcp - 8888:8888/tcp
environment: environment:

View file

@ -0,0 +1,83 @@
version: '3.3'
services:
oci-registry:
restart: always
container_name: oci-registry
image: registry:2
volumes:
- /mnt/oci-registry:/var/lib/registry
- ./htpasswd:/auth/htpasswd
networks:
- traefik
- intern
environment:
TZ: Europe/Berlin
REGISTRY_AUTH: none
REGISTRY_REDIS_ADDR: oci-registry-redis:6379
REGISTRY_REDIS_PASSWORD: {{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}
REGISTRY_STORAGE_DELETE_ENABLED: true
labels:
traefik.http.routers.registry.rule: Host(`registry.mgrote.net`)
traefik.enable: true
traefik.http.routers.registry.tls: true
traefik.http.routers.registry.tls.certresolver: resolver_letsencrypt
traefik.http.routers.registry.entrypoints: entry_https
traefik.http.services.registry.loadbalancer.server.port: 5000
traefik.http.routers.registry.middlewares: registry-ipwhitelist
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.0.0/17
com.centurylinklabs.watchtower.depends-on: oci-registry-redis
com.centurylinklabs.watchtower.enable: true
# testen mit:
# docker pull ubuntu
# docker image tag ubuntu registry.mgrote.net/myfirstimage
# docker login --username regadmin --password <password> registry.mgrote.net
# docker push registry.mgrote.net/myfirstimage
# docker pull registry.mgrote.net/myfirstimage
oci-registry-redis:
image: redis:7
container_name: oci-registry-redis
networks:
- intern
restart: always
environment:
REDIS_PASSWORD: {{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}
MAXMEMORY POLICY: allkeys-lru
labels:
com.centurylinklabs.watchtower.enable: true
oci-registry-ui:
restart: always
# url: registry.mgrote.net/ui/index.html
image: joxit/docker-registry-ui:latest
container_name: oci-registry-ui
environment:
DELETE_IMAGES: true
SINGLE_REGISTRY: true
NGINX_PROXY_PASS_URL: http://oci-registry:5000
networks:
- traefik
- intern
labels:
traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht
traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-auth # also entferne den Prefix danach wieder
traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert
traefik.enable: true
traefik.http.routers.registry-ui.tls: true
traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
traefik.http.routers.registry-ui.entrypoints: entry_https
traefik.http.services.registry-ui.loadbalancer.server.port: 80
com.centurylinklabs.watchtower.depends-on: oci-registry-redis,oci-registry
com.centurylinklabs.watchtower.enable: true
traefik.http.middlewares.registry-ui-auth.basicauth.users: ui-user:$$2y$$05$$6NLaW1ewe/t4M/qnaPHCx.bmsIKR5MOukwJFrvhyFUcqueRcm9i8K # echo $(htpasswd -nB ui-user password) | sed -e s/\\$/\\$\\$/g
######## Networks ########
networks:
traefik:
external: true
intern:

View file

@ -9,7 +9,7 @@ providers:
entryPoints: entryPoints:
entry_http: entry_http:
address: :80 address: :80
http: #Umleitung http zu https http: # Umleitung http zu https
redirections: redirections:
entryPoint: entryPoint:
to: entry_https to: entry_https
@ -20,7 +20,7 @@ entryPoints:
entry_ssh: entry_ssh:
address: :2222 # wenn hier zusätzliche Ports eingetragen werden, müssen diese auch in der docker-compose.yml als Ports gemappt werden address: :2222 # wenn hier zusätzliche Ports eingetragen werden, müssen diese auch in der docker-compose.yml als Ports gemappt werden
#letsencrypt # letsencrypt
certificatesResolvers: certificatesResolvers:
resolver_letsencrypt: resolver_letsencrypt:
acme: acme:
@ -35,4 +35,4 @@ log:
api: api:
insecure: true insecure: true
dashboard: true #unter Port 8081 erreichbar dashboard: true # unter Port 8081 erreichbar

View file

@ -12,10 +12,21 @@
filesystem: xfs filesystem: xfs
mount: true mount: true
mntp: /var/lib/docker mntp: /var/lib/docker
- vgname: vg_docker_volumes
disks:
- /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2
create: true
lvnames:
- lvname: ociregistry
size: +100%FREE
create: true
filesystem: xfs
mount: true
mntp: /mnt/oci-registry
manage_lvm: true manage_lvm: true
pvresize_to_max: true pvresize_to_max: true
### mgrote.restic ### mgrote.restic
restic_folders_to_backup: "/ /var/lib/docker" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben restic_folders_to_backup: "/ /var/lib/docker /mnt/oci-registry" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
### mgrote.docker-compose-inline ### mgrote.docker-compose-inline
compose_owner: "docker-user" compose_owner: "docker-user"
@ -55,6 +66,9 @@
state: present state: present
- name: acng - name: acng
state: present state: present
- name: registry
state: present
network: traefik
### oefenweb.ufw ### oefenweb.ufw
ufw_rules: ufw_rules:
- rule: allow - rule: allow

Binary file not shown.