From f13148d53e77fdcea97eb03be7b5f5f3537c1922 Mon Sep 17 00:00:00 2001
From: continuist <continuist02@gmail.com>
Date: Fri, 15 Aug 2025 19:12:04 -0400
Subject: [PATCH] Improve docker registry + Caddy installation security

---
 CI_CD_PIPELINE_SETUP_GUIDE.md        | 110 +++++++++++++++++++--------
 registry/Caddyfile                   |   4 +-
 registry/docker-compose.registry.yml |   2 +
 registry/docker-registry.service     |  12 ++-
 4 files changed, 92 insertions(+), 36 deletions(-)

diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md
index 47fab67..0e8f540 100644
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@@ -686,14 +686,25 @@ sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/Ca
 sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/openssl.conf
 sudo sed -i "s/YOUR_REGISTRY_NAME/APP_NAME-Registry/g" /opt/APP_NAME/registry/openssl.conf
 
-# Create environment file for registry authentication
+# Create FHS-compliant environment directory
+sudo mkdir -p /etc/registry/env
+sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
+sudo chmod 755 /etc/registry/env
+
+# Create secure environment file for registry authentication
 # First, create a secure password hash
 # Save this password somewhere safe
 REGISTRY_PASSWORD="your-secure-registry-password"
 REGISTRY_PASSWORD_HASH=$(htpasswd -nbB registry-user "$REGISTRY_PASSWORD" | cut -d: -f2)
 
-# Update Caddyfile with the actual password hash
-sudo sed -i "s/DOCKER_REGISTRY_PASSWORD/$REGISTRY_PASSWORD_HASH/g" /opt/APP_NAME/registry/Caddyfile
+# Create the .env file in FHS-compliant location
+sudo tee /etc/registry/env/.env > /dev/null <<EOF
+REGISTRY_PASSWORD_HASH=$REGISTRY_PASSWORD_HASH
+EOF
+
+# Set secure permissions on .env file (owner read/write only)
+sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env/.env
+sudo chmod 600 /etc/registry/env/.env
 
 # Set proper permissions for configuration files
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/Caddyfile
@@ -704,7 +715,7 @@ sudo chmod 644 /opt/APP_NAME/registry/openssl.conf
 sudo chmod 644 /opt/APP_NAME/registry/docker-compose.registry.yml
 ```
 
-#### 5.3 Create FHS-Compliant Certificate Directory Structure
+#### 5.3 Create FHS-Compliant Directory Structure
 
 ```bash
 # Create FHS-compliant certificate directory structure
@@ -713,8 +724,12 @@ sudo mkdir -p /etc/registry/certs/requests
 sudo mkdir -p /etc/registry/certs/ca
 sudo mkdir -p /var/lib/registry/data
 
-# Set proper ownership for certificate directories
+# Create FHS-compliant environment directory structure
+sudo mkdir -p /etc/registry/env
+
+# Set proper ownership for certificate and environment directories
 sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/certs
+sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
 sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry/data
 
 # Set proper permissions for certificate directories
@@ -724,6 +739,9 @@ sudo chmod 755 /etc/registry/certs/requests   # Certificate requests
 sudo chmod 755 /etc/registry/certs/ca         # CA certificates
 sudo chmod 755 /var/lib/registry/data         # Registry data
 
+# Set proper permissions for environment directory
+sudo chmod 755 /etc/registry/env              # Environment directory
+
 # Create registry data directory symlink for docker-compose
 sudo ln -sf /var/lib/registry/data /opt/APP_NAME/registry/registry
 ```
@@ -783,6 +801,8 @@ sudo ln -sf /etc/registry/certs/private/registry.key /opt/APP_NAME/registry/cert
 sudo chown -h CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/certs/registry.crt
 sudo chown -h CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/certs/registry.key
 
+# Note: .env file is accessed directly from /etc/registry/env/.env in docker-compose.registry.yml
+
 # Verify certificate creation
 sudo -u CI_SERVICE_USER openssl x509 -in registry.crt -text -noout | grep -E "(Subject:|DNS:|IP Address:)"
 
@@ -876,30 +896,7 @@ echo "Automatic certificate renewal configured!"
 echo "Certificates will be renewed automatically and the registry service will be restarted"
 ```
 
-#### 5.7 Start Docker Registry with Docker Compose
-
-```bash
-# Switch to CI_SERVICE_USER
-sudo su - CI_SERVICE_USER
-
-# Navigate to the application directory
-cd /opt/APP_NAME/registry
-
-# Start the Docker Registry and Caddy services using the project's registry compose file
-docker compose -f docker-compose.registry.yml up -d
-
-# Verify services are running
-docker compose -f docker-compose.registry.yml ps
-
-# Check service logs for any issues
-docker compose -f docker-compose.registry.yml logs caddy
-docker compose -f docker-compose.registry.yml logs registry
-
-# Exit CI_SERVICE_USER shell
-exit
-```
-
-#### 5.8 Install Systemd Service for Docker Registry
+#### 5.7 Set Up Systemd Service for Docker Registry
 
 ```bash
 # Install systemd service from repository
@@ -916,8 +913,27 @@ sudo systemctl daemon-reload
 sudo systemctl enable docker-registry.service
 sudo systemctl start docker-registry.service
 
-# Monitor startup
-sudo journalctl -u docker-registry.service -f
+# Verify services are running
+sudo systemctl status docker-registry.service
+
+# Check service logs for any issues
+sudo journalctl -u docker-registry.service -f --no-pager -n 50
+```
+
+#### 5.8 Verify Docker Registry Service
+
+```bash
+# Check that the service is running properly
+sudo systemctl status docker-registry.service
+
+# Check that containers are running
+sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml ps"
+
+# Check Caddy logs
+sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml logs caddy"
+
+# Check Registry logs  
+sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml logs registry"
 ```
 
 #### 5.9 Test Registry Setup
@@ -1375,6 +1391,7 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
 - `docker-compose.registry.yml` - Docker Compose configuration from project repository
 - `Caddyfile` - Caddy reverse proxy configuration from project repository  
 - `openssl.conf` - OpenSSL configuration for certificate generation from project repository
+- `docker-registry.service` - Systemd service file for Docker Registry
 - `certs/` - Symbolic links to FHS-compliant certificate locations
 
 **System Files** (FHS-compliant locations):
@@ -1384,12 +1401,17 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
   - `/etc/registry/certs/ca/` - CA certificates (mode 644)  
   - `/etc/registry/certs/requests/` - Certificate requests and configs (mode 644)
   - `/etc/registry/certs/registry.crt` - Server certificate (mode 644)
+- `/etc/registry/env/` - Environment variables and secrets:
+  - `/etc/registry/env/.env` - Registry authentication secrets (mode 600)
+- `/etc/systemd/system/docker-registry.service` - Systemd service configuration
 - `/var/log/registry/` - Registry and Caddy logs
 
 **Benefits of FHS Compliance**:
 - **Data persistence**: Registry data stored in `/var/lib/registry/data/` survives container restarts
 - **Certificate security**: Hierarchical certificate structure with proper permissions
-- **Separation of concerns**: Private keys isolated from public certificates
+- **Environment security**: Secrets stored in `/etc/registry/env/` with restrictive permissions (600)
+- **Service management**: Systemd service for proper startup, shutdown, and monitoring
+- **Separation of concerns**: Private keys isolated from public certificates, secrets isolated from configs
 - **Log management**: Logs in `/var/log/registry/` for centralized logging
 - **Configuration separation**: App configs in app directory, system data in system directories
 ```
@@ -2376,6 +2398,30 @@ You have successfully set up a complete CI/CD pipeline with:
 
 Your application is now ready for continuous deployment with proper security, monitoring, and maintenance procedures in place!
 
+### Cleanup Installation Files
+
+After successful setup, you can clean up the installation files to remove sensitive information:
+
+```bash
+# Remove installation files (optional - for security)
+sudo rm -rf /opt/APP_NAME/registry/openssl.conf
+sudo rm -rf /opt/APP_NAME/registry/certs/requests/openssl.conf
+
+# Note: DO NOT remove these files as they are needed for operation:
+# - /opt/APP_NAME/registry/docker-compose.registry.yml
+# - /opt/APP_NAME/registry/Caddyfile  
+# - /opt/APP_NAME/registry/docker-registry.service
+# - /opt/APP_NAME/registry/certs/ (symlinks to FHS locations)
+# - /etc/registry/env/.env (contains the actual secrets)
+# - /etc/systemd/system/docker-registry.service
+```
+
+**Security Note**: The `.env` file in `/etc/registry/env/.env` contains sensitive authentication data and should be:
+- **Backed up securely** if needed for disaster recovery
+- **Never committed to version control**
+- **Protected with proper permissions** (600 - owner read/write only)
+- **Rotated regularly** by updating the password and regenerating the hash
+
 ### Step 8.6 CI/CD Workflow Summary Table
 
 | Stage   | What Runs                | How/Where                |
diff --git a/registry/Caddyfile b/registry/Caddyfile
index e133e78..79f38d9 100644
--- a/registry/Caddyfile
+++ b/registry/Caddyfile
@@ -6,7 +6,7 @@
   # require auth on writes
   @writes method PUT POST PATCH DELETE
   basic_auth @writes {
-    registry-user DOCKER_REGISTRY_PASSWORD
+    registry-user {env.REGISTRY_PASSWORD_HASH}
   }
 
   # also require auth on the /v2/ ping so Docker sends creds
@@ -15,7 +15,7 @@
     method GET
   }
   basic_auth @v2ping {
-    registry-user DOCKER_REGISTRY_PASSWORD
+    registry-user {env.REGISTRY_PASSWORD_HASH}
   }
 
   reverse_proxy /v2/* registry:5000
diff --git a/registry/docker-compose.registry.yml b/registry/docker-compose.registry.yml
index d4b89e8..32605a1 100644
--- a/registry/docker-compose.registry.yml
+++ b/registry/docker-compose.registry.yml
@@ -27,3 +27,5 @@ services:
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - ./certs:/etc/certs:ro
+    env_file:
+      - /etc/registry/env/.env
diff --git a/registry/docker-registry.service b/registry/docker-registry.service
index b16ed11..56471ef 100644
--- a/registry/docker-registry.service
+++ b/registry/docker-registry.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Docker Registry with Caddy
+Description=Docker Registry with Caddy Reverse Proxy
 After=docker.service
 Requires=docker.service
 
@@ -11,7 +11,15 @@ Group=CI_SERVICE_USER
 WorkingDirectory=/opt/APP_NAME/registry
 ExecStart=/usr/bin/docker compose -f docker-compose.registry.yml up -d
 ExecStop=/usr/bin/docker compose -f docker-compose.registry.yml down
-ExecReload=/usr/bin/docker compose -f docker-compose.registry.yml down && /usr/bin/docker compose -f docker-compose.registry.yml up -d
+ExecReload=/usr/bin/docker compose -f docker-compose.registry.yml restart
+TimeoutStartSec=0
+
+# Security settings
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/opt/APP_NAME/registry /etc/registry /var/lib/registry /var/log/registry
 
 [Install]
 WantedBy=multi-user.target 
\ No newline at end of file