homeserver/docker-compose/registry/docker-compose.yml.j2

version: '3.3'
services:
  oci-registry:
    restart: always
    container_name: oci-registry
    image: "registry:2.8.3@sha256:0a182cb82c93939407967d6d71d6caf11dcef0e5689c6afe2d60518e3b34ab86"
    volumes:
      - oci:/var/lib/registry
      - ./htpasswd:/auth/htpasswd
    networks:
      - traefik
      - intern
    depends_on:
      - oci-registry-ui
      - oci-registry-redis
    environment:
      TZ: Europe/Berlin
      REGISTRY_AUTH: none
      REGISTRY_REDIS_ADDR: oci-registry-redis:6379
      REGISTRY_REDIS_PASSWORD: "{{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}"
      REGISTRY_STORAGE_DELETE_ENABLED: true
      REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306
      # https://joxit.dev/docker-registry-ui/#using-cors
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://registry.mgrote.net/ui/]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
    labels:
      traefik.http.routers.registry.rule: Host(`registry.mgrote.net`)
      traefik.enable: true
      traefik.http.routers.registry.tls: true
      traefik.http.routers.registry.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.registry.entrypoints: entry_https
      traefik.http.services.registry.loadbalancer.server.port: 5000

      traefik.http.routers.registry.middlewares: registry-ipwhitelist

      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24,192.168.48.0/24,172.18.0.0/16 # .48. ist Docker
      traefik.http.middlewares.registry-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth

      com.centurylinklabs.watchtower.depends-on: oci-registry-redis
      com.centurylinklabs.watchtower.enable: true

    # registry aufräumen: docker exec -it oci-registry /bin/registry garbage-collect --delete-untagged=true /etc/docker/registry/config.yml

    # testen mit:
    # docker pull ubuntu
    # docker image tag ubuntu registry.mgrote.net/myfirstimage
    # docker push registry.mgrote.net/myfirstimage
    # docker pull registry.mgrote.net/myfirstimage

  oci-registry-redis:
    image: "redis:7.2.4@sha256:b5ddcd52d425a8e354696c022f392fe45fca928f68d6289e6bb4a709c3a74668"
    container_name: oci-registry-redis
    networks:
      - intern
    restart: always
    environment:
      REDIS_PASSWORD: "{{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}"
      MAXMEMORY POLICY: allkeys-lru
    labels:
      com.centurylinklabs.watchtower.enable: true

  oci-registry-ui:
    restart: always
    # url: registry.mgrote.net/ui/index.html
    image: "joxit/docker-registry-ui:2.5.6@sha256:ccb4b40737938050b2617b8c61d4287b1078c424ddafe0fcb81b5ce82a3a7198"
    container_name: oci-registry-ui
    environment:
      DELETE_IMAGES: true
      SINGLE_REGISTRY: true
      NGINX_PROXY_PASS_URL: http://oci-registry:5000
      SHOW_CONTENT_DIGEST: true # https://github.com/Joxit/docker-registry-ui/issues/297
      SHOW_CATALOG_NB_TAGS: true
      PULL_URL: registry.mgrote.net
    networks:
      - traefik
      - intern
    labels:
      traefik.http.routers.registry-ui.rule: Host(`registry.mgrote.net`)&&PathPrefix(`/ui`) # mache unter /ui erreichbar, damit wird demPfad dieser Prefix hinzugefügt, die Anwendung "hört" dort abrer nicht
      traefik.http.routers.registry-ui.middlewares: registry-ui-strip-prefix,registry-ui-ipwhitelist # also entferne den Prefix danach wieder
      traefik.http.middlewares.registry-ui-strip-prefix.stripprefix.prefixes: /ui # hier ist die Middleware definiert
      traefik.enable: true
      traefik.http.routers.registry-ui.tls: true
      traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
      traefik.http.routers.registry-ui.entrypoints: entry_https
      traefik.http.services.registry-ui.loadbalancer.server.port: 80

      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24,10.25.25.0/24 # .48. ist Docker
      traefik.http.middlewares.registry-ui-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth


      com.centurylinklabs.watchtower.depends-on: oci-registry-redis,oci-registry
      com.centurylinklabs.watchtower.enable: true


######## Networks ########
networks:
  traefik:
    external: true
  intern:


######## Volumes ########
volumes:
  oci: