diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md
index 97591a0..e30362c 100644
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@@ -789,7 +789,7 @@ sudo chmod 644 ca/ca.crt registry.crt                 # Certificates - world rea
 sudo chmod 644 requests/registry.csr requests/openssl.conf  # Requests - world readable
 
 # Verify certificate creation
-sudo -u CI_SERVICE_USER openssl x509 -in registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
+sudo -u CI_SERVICE_USER openssl x509 -in /etc/registry/certs/registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
 
 # 2. Install CA certificate into Docker trust store
 sudo mkdir -p /etc/docker/certs.d/YOUR_ACTUAL_IP_ADDRESS
@@ -884,6 +884,20 @@ echo "Certificates will be renewed automatically and the registry service will b
 #### 5.7 Set Up Systemd Service for Docker Registry
 
 ```bash
+# Create system-wide Docker configuration to avoid permission issues
+sudo mkdir -p /etc/docker
+sudo tee /etc/docker/config.json > /dev/null << 'EOF'
+{
+  "auths": {},
+  "HttpHeaders": {
+    "User-Agent": "Docker-Client/20.10.0 (linux)"
+  }
+}
+EOF
+
+# Set proper permissions for system-wide Docker config
+sudo chmod 644 /etc/docker/config.json
+
 # Install systemd service from repository
 sudo cp /opt/APP_NAME/registry/docker-registry.service /etc/systemd/system/docker-registry.service
 
diff --git a/registry/Caddyfile b/registry/Caddyfile
index 4a762bc..d185b43 100644
--- a/registry/Caddyfile
+++ b/registry/Caddyfile
@@ -1,3 +1,16 @@
+# Unauthenticated pulls on 443 (GET requests only)
+:443 {
+  tls /etc/registry/certs/registry.crt /etc/registry/certs/private/registry.key
+  log
+
+  # Block all write operations explicitly
+  @writes method PUT POST PATCH DELETE
+  respond @writes "Method Not Allowed" 405
+
+  # Allow all GET requests to v2 API (Docker Registry itself will handle security)
+  reverse_proxy /v2/* registry:5000
+}
+
 # Auth-required pushes on 4443
 :4443 {
   tls /etc/registry/certs/registry.crt /etc/registry/certs/private/registry.key
diff --git a/registry/docker-compose.registry.yml b/registry/docker-compose.registry.yml
index aae20c9..eaa6a6e 100644
--- a/registry/docker-compose.registry.yml
+++ b/registry/docker-compose.registry.yml
@@ -27,5 +27,5 @@ services:
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - /etc/registry/certs:/etc/registry/certs:ro
-    env_file:
-      - /etc/registry/env/.env
+    environment:
+      - REGISTRY_PASSWORD_HASH=${REGISTRY_PASSWORD_HASH}
diff --git a/registry/docker-registry.service b/registry/docker-registry.service
index 56471ef..82b3fc9 100644
--- a/registry/docker-registry.service
+++ b/registry/docker-registry.service
@@ -9,6 +9,8 @@ RemainAfterExit=yes
 User=CI_SERVICE_USER
 Group=CI_SERVICE_USER
 WorkingDirectory=/opt/APP_NAME/registry
+EnvironmentFile=/etc/registry/env/.env
+Environment=DOCKER_CONFIG=/etc/docker
 ExecStart=/usr/bin/docker compose -f docker-compose.registry.yml up -d
 ExecStop=/usr/bin/docker compose -f docker-compose.registry.yml down
 ExecReload=/usr/bin/docker compose -f docker-compose.registry.yml restart