devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Finish making Caddyfile work correctly
Some checks failed
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Has been cancelled
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Has been cancelled
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Has been cancelled
Details

Browse source
This commit is contained in:
continuist 2025-08-16 16:25:23 -04:00
parent ab2902098e
commit bf41839b8c
4 changed files with 32 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
CI_CD_PIPELINE_SETUP_GUIDE.md
View file

@ -789,7 +789,7 @@ sudo chmod 644 ca/ca.crt registry.crt # Certificates - world rea
sudo chmod 644 requests/registry.csr requests/openssl.conf # Requests - world readable
# Verify certificate creation
sudo -u CI_SERVICE_USER openssl x509 -in registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
sudo -u CI_SERVICE_USER openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
# 2. Install CA certificate into Docker trust store
sudo mkdir -p /etc/docker/certs.d/YOUR_ACTUAL_IP_ADDRESS
@ -884,6 +884,20 @@ echo "Certificates will be renewed automatically and the registry service will b
#### 5.7 Set Up Systemd Service for Docker Registry
```bash
# Create system-wide Docker configuration to avoid permission issues
sudo mkdir -p /etc/docker
sudo tee /etc/docker/config.json > /dev/null << 'EOF'
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/20.10.0 (linux)"
}
}
EOF
# Set proper permissions for system-wide Docker config
sudo chmod 644 /etc/docker/config.json
# Install systemd service from repository
sudo cp /opt/APP_NAME/registry/docker-registry.service /etc/systemd/system/docker-registry.service

13
registry/Caddyfile
View file

@ -1,3 +1,16 @@
# Unauthenticated pulls on 443 (GET requests only)
:443 {
tls /etc/registry/certs/registry.crt /etc/registry/certs/private/registry.key
log
# Block all write operations explicitly
@writes method PUT POST PATCH DELETE
respond @writes "Method Not Allowed" 405
# Allow all GET requests to v2 API (Docker Registry itself will handle security)
reverse_proxy /v2/* registry:5000
}
# Auth-required pushes on 4443
:4443 {
tls /etc/registry/certs/registry.crt /etc/registry/certs/private/registry.key

4
registry/docker-compose.registry.yml
View file

@ -27,5 +27,5 @@ services:
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- /etc/registry/certs:/etc/registry/certs:ro
env_file:
- /etc/registry/env/.env
environment:
- REGISTRY_PASSWORD_HASH=${REGISTRY_PASSWORD_HASH}

2
registry/docker-registry.service
View file

@ -9,6 +9,8 @@ RemainAfterExit=yes
User=CI_SERVICE_USER
Group=CI_SERVICE_USER
WorkingDirectory=/opt/APP_NAME/registry
EnvironmentFile=/etc/registry/env/.env
Environment=DOCKER_CONFIG=/etc/docker
ExecStart=/usr/bin/docker compose -f docker-compose.registry.yml up -d
ExecStop=/usr/bin/docker compose -f docker-compose.registry.yml down
ExecReload=/usr/bin/docker compose -f docker-compose.registry.yml restart