container: selfhosted registry (#512)
Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: #512
This commit is contained in:
parent
9868d6e2fd
commit
3d28646e1b
11 changed files with 116 additions and 13 deletions
|
@ -3,7 +3,7 @@ services:
|
||||||
apt-cacher-ng:
|
apt-cacher-ng:
|
||||||
container_name: apt-cacher-ng
|
container_name: apt-cacher-ng
|
||||||
restart: always
|
restart: always
|
||||||
image: quotengrote/apt-cacher-ng:master
|
image: registry.mgrote.net/apt-cacher-ng:master
|
||||||
ports:
|
ports:
|
||||||
- "9999:9999"
|
- "9999:9999"
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -18,7 +18,7 @@ services:
|
||||||
- '444:443'
|
- '444:443'
|
||||||
restart: always
|
restart: always
|
||||||
container_name: drone-server
|
container_name: drone-server
|
||||||
image: 'drone/drone:latest'
|
image: 'drone/drone:2'
|
||||||
networks:
|
networks:
|
||||||
- intern
|
- intern
|
||||||
labels:
|
labels:
|
||||||
|
@ -43,7 +43,8 @@ services:
|
||||||
networks:
|
networks:
|
||||||
- intern
|
- intern
|
||||||
labels:
|
labels:
|
||||||
- com.centurylinklabs.watchtower.enable=true
|
com.centurylinklabs.watchtower.enable: true
|
||||||
|
com.centurylinklabs.watchtower.depends-on: drone-server
|
||||||
|
|
||||||
######## Volumes ########
|
######## Volumes ########
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -63,9 +63,14 @@ services:
|
||||||
subtitle: "CI/CD"
|
subtitle: "CI/CD"
|
||||||
- name: "httpd"
|
- name: "httpd"
|
||||||
logo: "assets/icons/roundcube.png"
|
logo: "assets/icons/roundcube.png"
|
||||||
url: " http://docker10.grote.lan:3344"
|
url: "http://docker10.grote.lan:3344"
|
||||||
target: "_blank"
|
target: "_blank"
|
||||||
subtitle: "Package-Registry"
|
subtitle: "Package-Registry"
|
||||||
|
- name: "Container Registry"
|
||||||
|
logo: "assets/icons/hastebin.png"
|
||||||
|
url: "https://registry.mgrote.net/ui/index.html"
|
||||||
|
target: "_blank"
|
||||||
|
subtitle: "Container-Registry"
|
||||||
|
|
||||||
- name: "Infra"
|
- name: "Infra"
|
||||||
icon: "fas fa-cloud"
|
icon: "fas fa-cloud"
|
||||||
|
|
|
@ -14,7 +14,7 @@ services:
|
||||||
|
|
||||||
python-api-server:
|
python-api-server:
|
||||||
container_name: httpd-api
|
container_name: httpd-api
|
||||||
image: quotengrote/python-api-server:latest
|
image: registry.mgrote.net/python-api-server:latest
|
||||||
restart: always
|
restart: always
|
||||||
ports:
|
ports:
|
||||||
- "5040:5000"
|
- "5040:5000"
|
||||||
|
|
|
@ -58,7 +58,7 @@ services:
|
||||||
MF_API_URL: https://miniflux.mgrote.net/v1
|
MF_API_URL: https://miniflux.mgrote.net/v1
|
||||||
MF_SLEEP: 600
|
MF_SLEEP: 600
|
||||||
#MF_DEBUG: 1
|
#MF_DEBUG: 1
|
||||||
image: quotengrote/miniflux-filter:latest
|
image: registry.mgrote.net/miniflux-filter:latest
|
||||||
volumes:
|
volumes:
|
||||||
- ./filter.txt:/data/filter.txt
|
- ./filter.txt:/data/filter.txt
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -2,7 +2,7 @@ version: '3'
|
||||||
services:
|
services:
|
||||||
munin:
|
munin:
|
||||||
container_name: "munin-master-prod"
|
container_name: "munin-master-prod"
|
||||||
image: quotengrote/munin-server:master
|
image: registry.mgrote.net/munin-server:master
|
||||||
restart: always
|
restart: always
|
||||||
environment:
|
environment:
|
||||||
MAILCONTACT: michael.grote@posteo.de
|
MAILCONTACT: michael.grote@posteo.de
|
||||||
|
|
|
@ -3,7 +3,7 @@ services:
|
||||||
oxidized:
|
oxidized:
|
||||||
restart: always
|
restart: always
|
||||||
container_name: "oxidized"
|
container_name: "oxidized"
|
||||||
image: oxidized/oxidized:latest # ist auf lokal gebautes Image gesetzt, nach https://github.com/ytti/oxidized/pull/2726 kann es wieder auf latest gesetzt werden
|
image: oxidized/oxidized:latest
|
||||||
ports:
|
ports:
|
||||||
- 8888:8888/tcp
|
- 8888:8888/tcp
|
||||||
environment:
|
environment:
|
||||||
|
|
83
docker-compose/registry/docker-compose.yml.j2
Normal file
83
docker-compose/registry/docker-compose.yml.j2
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
version: '3.3'
|
||||||
|
services:
|
||||||
|
oci-registry:
|
||||||
|
restart: always
|
||||||
|
container_name: oci-registry
|
||||||
|
image: registry:2
|
||||||
|
volumes:
|
||||||
|
- /mnt/oci-registry:/var/lib/registry
|
||||||
|
- ./htpasswd:/auth/htpasswd
|
||||||
|
networks:
|
||||||
|
- traefik
|
||||||
|
- intern
|
||||||
|
environment:
|
||||||
|
TZ: Europe/Berlin
|
||||||
|
REGISTRY_AUTH: none
|
||||||
|
REGISTRY_REDIS_ADDR: oci-registry-redis:6379
|
||||||
|
REGISTRY_REDIS_PASSWORD: {{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}
|
||||||
|
REGISTRY_STORAGE_DELETE_ENABLED: true
|
||||||
|
labels:
|
||||||
|
traefik.http.routers.registry.rule: Host(`registry.mgrote.net`)
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.registry.tls: true
|
||||||
|
traefik.http.routers.registry.tls.certresolver: resolver_letsencrypt
|
||||||
|
traefik.http.routers.registry.entrypoints: entry_https
|
||||||
|
traefik.http.services.registry.loadbalancer.server.port: 5000
|
||||||
|
|
||||||
|
traefik.http.routers.registry.middlewares: registry-ipwhitelist
|
||||||
|
traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.0.0/17
|
||||||
|
|
||||||
|
com.centurylinklabs.watchtower.depends-on: oci-registry-redis
|
||||||
|
com.centurylinklabs.watchtower.enable: true
|
||||||
|
|
||||||
|
# testen mit:
|
||||||
|
# docker pull ubuntu
|
||||||
|
# docker image tag ubuntu registry.mgrote.net/myfirstimage
|
||||||
|
# docker login --username regadmin --password <password> registry.mgrote.net
|
||||||
|
# docker push registry.mgrote.net/myfirstimage
|
||||||
|
# docker pull registry.mgrote.net/myfirstimage
|
||||||
|
|
||||||
|
oci-registry-redis:
|
||||||
|
image: redis:7
|
||||||
|
container_name: oci-registry-redis
|
||||||
|
networks:
|
||||||
|
- intern
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
REDIS_PASSWORD: {{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}
|
||||||
|
MAXMEMORY POLICY: allkeys-lru
|
||||||
|
labels:
|
||||||
|
com.centurylinklabs.watchtower.enable: true
|
||||||
|
|
||||||
|
oci-registry-ui:
|
||||||
|
restart: always
|
||||||
|
# url: registry.mgrote.net/ui/index.html
|
||||||
|
image: joxit/docker-registry-ui:latest
|
||||||
|
container_name: oci-registry-ui
|
||||||
|
environment:
|
||||||
|
DELETE_IMAGES: true
|
||||||
|
SINGLE_REGISTRY: true
|
||||||
|
NGINX_PROXY_PASS_URL: http://oci-registry:5000
|
||||||
|
networks:
|
||||||
|
- traefik
|
||||||
|
- intern
|
||||||
|
labels:
|
||||||
|
traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht
|
||||||
|
traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-auth # also entferne den Prefix danach wieder
|
||||||
|
traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert
|
||||||
|
traefik.enable: true
|
||||||
|
traefik.http.routers.registry-ui.tls: true
|
||||||
|
traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
|
||||||
|
traefik.http.routers.registry-ui.entrypoints: entry_https
|
||||||
|
traefik.http.services.registry-ui.loadbalancer.server.port: 80
|
||||||
|
|
||||||
|
com.centurylinklabs.watchtower.depends-on: oci-registry-redis,oci-registry
|
||||||
|
com.centurylinklabs.watchtower.enable: true
|
||||||
|
|
||||||
|
traefik.http.middlewares.registry-ui-auth.basicauth.users: ui-user:$$2y$$05$$6NLaW1ewe/t4M/qnaPHCx.bmsIKR5MOukwJFrvhyFUcqueRcm9i8K # echo $(htpasswd -nB ui-user password) | sed -e s/\\$/\\$\\$/g
|
||||||
|
|
||||||
|
######## Networks ########
|
||||||
|
networks:
|
||||||
|
traefik:
|
||||||
|
external: true
|
||||||
|
intern:
|
|
@ -9,7 +9,7 @@ providers:
|
||||||
entryPoints:
|
entryPoints:
|
||||||
entry_http:
|
entry_http:
|
||||||
address: :80
|
address: :80
|
||||||
http: #Umleitung http zu https
|
http: # Umleitung http zu https
|
||||||
redirections:
|
redirections:
|
||||||
entryPoint:
|
entryPoint:
|
||||||
to: entry_https
|
to: entry_https
|
||||||
|
@ -20,7 +20,7 @@ entryPoints:
|
||||||
entry_ssh:
|
entry_ssh:
|
||||||
address: :2222 # wenn hier zusätzliche Ports eingetragen werden, müssen diese auch in der docker-compose.yml als Ports gemappt werden
|
address: :2222 # wenn hier zusätzliche Ports eingetragen werden, müssen diese auch in der docker-compose.yml als Ports gemappt werden
|
||||||
|
|
||||||
#letsencrypt
|
# letsencrypt
|
||||||
certificatesResolvers:
|
certificatesResolvers:
|
||||||
resolver_letsencrypt:
|
resolver_letsencrypt:
|
||||||
acme:
|
acme:
|
||||||
|
@ -35,4 +35,4 @@ log:
|
||||||
|
|
||||||
api:
|
api:
|
||||||
insecure: true
|
insecure: true
|
||||||
dashboard: true #unter Port 8081 erreichbar
|
dashboard: true # unter Port 8081 erreichbar
|
||||||
|
|
|
@ -12,10 +12,21 @@
|
||||||
filesystem: xfs
|
filesystem: xfs
|
||||||
mount: true
|
mount: true
|
||||||
mntp: /var/lib/docker
|
mntp: /var/lib/docker
|
||||||
|
- vgname: vg_docker_volumes
|
||||||
|
disks:
|
||||||
|
- /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2
|
||||||
|
create: true
|
||||||
|
lvnames:
|
||||||
|
- lvname: ociregistry
|
||||||
|
size: +100%FREE
|
||||||
|
create: true
|
||||||
|
filesystem: xfs
|
||||||
|
mount: true
|
||||||
|
mntp: /mnt/oci-registry
|
||||||
manage_lvm: true
|
manage_lvm: true
|
||||||
pvresize_to_max: true
|
pvresize_to_max: true
|
||||||
### mgrote.restic
|
### mgrote.restic
|
||||||
restic_folders_to_backup: "/ /var/lib/docker" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
|
restic_folders_to_backup: "/ /var/lib/docker /mnt/oci-registry" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben
|
||||||
|
|
||||||
### mgrote.docker-compose-inline
|
### mgrote.docker-compose-inline
|
||||||
compose_owner: "docker-user"
|
compose_owner: "docker-user"
|
||||||
|
@ -55,6 +66,9 @@
|
||||||
state: present
|
state: present
|
||||||
- name: acng
|
- name: acng
|
||||||
state: present
|
state: present
|
||||||
|
- name: registry
|
||||||
|
state: present
|
||||||
|
network: traefik
|
||||||
### oefenweb.ufw
|
### oefenweb.ufw
|
||||||
ufw_rules:
|
ufw_rules:
|
||||||
- rule: allow
|
- rule: allow
|
||||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
Loading…
Reference in a new issue