Improve security further #3

Docker_Registry_Install_Guide.md

@@ -100,10 +100,10 @@ sudo chown -R root:root /etc/registry/certs
 sudo chmod 750 /etc/registry/certs/private
 sudo chmod 755 /etc/registry/certs/{clients,ca,requests}
 
-# Create registry data directory
-sudo mkdir -p /var/lib/registry/data
+# Create registry data directory (systemd-managed)
+sudo mkdir -p /var/lib/registry
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry
-sudo chmod 750 /var/lib/registry /var/lib/registry/data
+sudo chmod 750 /var/lib/registry
 
 # Create log directory for nginx proxy
 sudo install -d -o registry-proxy -g registry-proxy /var/log/registry-proxy
@@ -127,13 +127,14 @@ Environment=PODMAN_RUNROOT=/run/user/%U/podman-run
 Environment=PODMAN_TMPDIR=/var/tmp/podman-%U/tmp
 Environment=XDG_DATA_HOME=/var/tmp/podman-%U/xdg-data
 Environment=XDG_CONFIG_HOME=/var/tmp/podman-%U/xdg-config
+StateDirectory=registry
 ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} --events-backend=file \
   run --rm --name registry \
   -p 127.0.0.1:5000:5000 \
   --read-only --tmpfs /tmp:size=64m --cap-drop=ALL --security-opt=no-new-privileges \
   -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
   -e REGISTRY_STORAGE_DELETE_ENABLED=false \
-  -v /var/lib/registry/data:/var/lib/registry:z \
+  -v /var/lib/registry:/var/lib/registry:z \
   docker.io/library/registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
 ExecStop=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} stop -t 10 registry
 Restart=on-failure
@@ -176,9 +177,8 @@ ProtectHostname=yes
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-IPAddressDeny=any
-IPAddressAllow=127.0.0.1/8 ::1
 LimitNOFILE=65536
+ExecStartPre=/usr/sbin/nginx -t -c /etc/registry/nginx.conf
 ExecStart=/usr/sbin/nginx -g 'daemon off;' -c /etc/registry/nginx.conf
 Restart=on-failure