Remove symlinks from Docker Registry + Caddyfile procedure

CI_CD_PIPELINE_SETUP_GUIDE.md

@@ -724,9 +724,6 @@ sudo mkdir -p /etc/registry/certs/requests
 sudo mkdir -p /etc/registry/certs/ca
 sudo mkdir -p /var/lib/registry/data
 
-# Create FHS-compliant environment directory structure
-sudo mkdir -p /etc/registry/env
-
 # Set proper ownership for certificate and environment directories
 sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/certs
 sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
@@ -739,9 +736,6 @@ sudo chmod 755 /etc/registry/certs/requests   # Certificate requests
 sudo chmod 755 /etc/registry/certs/ca         # CA certificates
 sudo chmod 755 /var/lib/registry/data         # Registry data
 
-# Set proper permissions for environment directory
-sudo chmod 755 /etc/registry/env              # Environment directory
-
 # Create registry data directory symlink for docker-compose
 sudo ln -sf /var/lib/registry/data /opt/APP_NAME/registry/registry
 ```
@@ -767,7 +761,7 @@ sudo -u CI_SERVICE_USER openssl genrsa -out private/ca.key 4096
 sudo -u CI_SERVICE_USER openssl req -new -x509 -key private/ca.key \
     -out ca/ca.crt \
     -days 365 \
-    -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=APP_NAME-Registry-CA"
+    -subj "/O=YOUR_ORGANIZATION/CN=APP_NAME-Registry-CA"
 
 # Generate server private key in private subdirectory
 sudo -u CI_SERVICE_USER openssl genrsa -out private/registry.key 4096
@@ -794,13 +788,6 @@ sudo chmod 600 private/ca.key private/registry.key    # Private keys - owner rea
 sudo chmod 644 ca/ca.crt registry.crt                 # Certificates - world readable
 sudo chmod 644 requests/registry.csr requests/openssl.conf  # Requests - world readable
 
-# Create certificate symlinks for Caddy (in certs subdirectory for docker-compose)
-sudo mkdir -p /opt/APP_NAME/registry/certs
-sudo ln -sf /etc/registry/certs/registry.crt /opt/APP_NAME/registry/certs/registry.crt
-sudo ln -sf /etc/registry/certs/private/registry.key /opt/APP_NAME/registry/certs/registry.key
-sudo chown -h CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/certs/registry.crt
-sudo chown -h CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/certs/registry.key
-
 # Verify certificate creation
 sudo -u CI_SERVICE_USER openssl x509 -in registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
 
@@ -1385,7 +1372,6 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
 - `Caddyfile` - Caddy reverse proxy configuration from project repository  
 - `openssl.conf` - OpenSSL configuration for certificate generation from project repository
 - `docker-registry.service` - Systemd service file for Docker Registry
-- `certs/` - Symbolic links to FHS-compliant certificate locations
 
 **System Files** (FHS-compliant locations):
 - `/var/lib/registry/data/` - Registry data storage
@@ -2404,7 +2390,6 @@ sudo rm -rf /opt/APP_NAME/registry/certs/requests/openssl.conf
 # - /opt/APP_NAME/registry/docker-compose.registry.yml
 # - /opt/APP_NAME/registry/Caddyfile  
 # - /opt/APP_NAME/registry/docker-registry.service
-# - /opt/APP_NAME/registry/certs/ (symlinks to FHS locations)
 # - /etc/registry/env/.env (contains the actual secrets)
 # - /etc/systemd/system/docker-registry.service
 ```

registry/Caddyfile

@@ -1,6 +1,6 @@
 # Auth-required pushes on 4443
 :4443 {
-  tls /etc/certs/registry.crt /etc/certs/registry.key
+  tls /etc/registry/certs/registry.crt /etc/registry/certs/private/registry.key
   log
 
   # require auth on writes

registry/docker-compose.registry.yml

@@ -26,6 +26,6 @@ services:
       # deliberately no "80:80" – no HTTP
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - ./certs:/etc/certs:ro
+      - /etc/registry/certs:/etc/registry/certs:ro
     env_file:
       - /etc/registry/env/.env