homeserver/docker-compose/registry/docker-compose.yml.j2
Renovate Bot 1b45956d7d
All checks were successful
ansible-lint / gitleaks (pull_request) Successful in 15s
ansible-lint / gitleaks (push) Successful in 15s
ansible-lint / Ansible Lint (pull_request) Successful in 46s
ansible-lint / Ansible Lint (push) Successful in 45s
chore(deps): update redis docker tag to v7.4.2
2025-01-06 20:06:07 +00:00

120 lines
3.7 KiB
Django/Jinja

services:
oci-registry:
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
container_name: oci-registry
image: "registry:2.8.3"
volumes:
- oci:/var/lib/registry
networks:
- traefik
- internal
depends_on:
- oci-registry-redis
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:5000/v2/"]
interval: 30s
timeout: 10s
retries: 3
environment:
TZ: Europe/Berlin
REGISTRY_AUTH: none
REGISTRY_REDIS_ADDR: oci-registry-redis:6379
REGISTRY_REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}"
REGISTRY_STORAGE_DELETE_ENABLED: true
REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306
# https://joxit.dev/docker-registry-ui/#using-cors
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://rui.mgrote.net]'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
labels:
traefik.http.routers.registry.rule: Host(`registry.mgrote.net`)
traefik.enable: true
traefik.http.routers.registry.tls: true
traefik.http.routers.registry.tls.certresolver: resolver_letsencrypt
traefik.http.routers.registry.entrypoints: entry_https
traefik.http.services.registry.loadbalancer.server.port: 5000
traefik.http.routers.registry.middlewares: allowlist_localnet@file,ratelimit40@file
# registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect /etc/docker/registry/config.yml
# testen mit:
# docker pull ubuntu
# docker image tag ubuntu registry.mgrote.net/myfirstimage
# docker push registry.mgrote.net/myfirstimage
# docker pull registry.mgrote.net/myfirstimage
oci-registry-redis:
image: "redis:7.4.2"
container_name: oci-registry-redis
networks:
- internal
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
environment:
REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}"
MAXMEMORY POLICY: allkeys-lru
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 10s
retries: 3
oci-registry-ui:
restart: unless-stopped
pull_policy: missing
deploy:
resources:
limits:
cpus: "2"
memory: "512M"
security_opt:
- no-new-privileges=true
image: "joxit/docker-registry-ui:2.5.7"
container_name: oci-registry-ui
ports:
- 5511:80
environment:
DELETE_IMAGES: true
SINGLE_REGISTRY: true
NGINX_PROXY_PASS_URL: http://oci-registry:5000
SHOW_CONTENT_DIGEST: true # https://github.com/Joxit/docker-registry-ui/issues/297
SHOW_CATALOG_NB_TAGS: true
PULL_URL: registry.mgrote.net
depends_on:
- oci-registry
networks:
- traefik
- internal
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1"]
interval: 30s
timeout: 10s
retries: 3
######## Networks ########
networks:
traefik:
external: true
internal:
######## Volumes ########
volumes:
oci: