CI_CD_PIPELINE_SETUP_GUIDE.md

@@ -686,25 +686,14 @@ sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/Ca
 sudo sed -i "s/YOUR_CI_CD_IP/YOUR_ACTUAL_IP_ADDRESS/g" /opt/APP_NAME/registry/openssl.conf
 sudo sed -i "s/YOUR_REGISTRY_NAME/APP_NAME-Registry/g" /opt/APP_NAME/registry/openssl.conf
 
-# Create FHS-compliant environment directory
+# Create environment file for registry authentication
-sudo mkdir -p /etc/registry/env
-sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
-sudo chmod 755 /etc/registry/env
-
-# Create secure environment file for registry authentication
 # First, create a secure password hash
 # Save this password somewhere safe
 REGISTRY_PASSWORD="your-secure-registry-password"
 REGISTRY_PASSWORD_HASH=$(htpasswd -nbB registry-user "$REGISTRY_PASSWORD" | cut -d: -f2)
 
-# Create the .env file in FHS-compliant location
+# Update Caddyfile with the actual password hash
-sudo tee /etc/registry/env/.env > /dev/null <<EOF
+sudo sed -i "s/DOCKER_REGISTRY_PASSWORD/$REGISTRY_PASSWORD_HASH/g" /opt/APP_NAME/registry/Caddyfile
-REGISTRY_PASSWORD_HASH=$REGISTRY_PASSWORD_HASH
-EOF
-
-# Set secure permissions on .env file (owner read/write only)
-sudo chown CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env/.env
-sudo chmod 600 /etc/registry/env/.env
 
 # Set proper permissions for configuration files
 sudo chown CI_SERVICE_USER:CI_SERVICE_USER /opt/APP_NAME/registry/Caddyfile
@@ -715,7 +704,7 @@ sudo chmod 644 /opt/APP_NAME/registry/openssl.conf
 sudo chmod 644 /opt/APP_NAME/registry/docker-compose.registry.yml
 ```
 
-#### 5.3 Create FHS-Compliant Directory Structure
+#### 5.3 Create FHS-Compliant Certificate Directory Structure
 
 ```bash
 # Create FHS-compliant certificate directory structure
@@ -724,12 +713,8 @@ sudo mkdir -p /etc/registry/certs/requests
 sudo mkdir -p /etc/registry/certs/ca
 sudo mkdir -p /var/lib/registry/data
 
-# Create FHS-compliant environment directory structure
+# Set proper ownership for certificate directories
-sudo mkdir -p /etc/registry/env
-
-# Set proper ownership for certificate and environment directories
 sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/certs
-sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /etc/registry/env
 sudo chown -R CI_SERVICE_USER:CI_SERVICE_USER /var/lib/registry/data
 
 # Set proper permissions for certificate directories
@@ -739,9 +724,6 @@ sudo chmod 755 /etc/registry/certs/requests   # Certificate requests
 sudo chmod 755 /etc/registry/certs/ca         # CA certificates
 sudo chmod 755 /var/lib/registry/data         # Registry data
 
-# Set proper permissions for environment directory
-sudo chmod 755 /etc/registry/env              # Environment directory
-
 # Create registry data directory symlink for docker-compose
 sudo ln -sf /var/lib/registry/data /opt/APP_NAME/registry/registry
 ```
@@ -894,7 +876,30 @@ echo "Automatic certificate renewal configured!"
 echo "Certificates will be renewed automatically and the registry service will be restarted"
 ```
 
-#### 5.7 Set Up Systemd Service for Docker Registry
+#### 5.7 Start Docker Registry with Docker Compose
+
+```bash
+# Switch to CI_SERVICE_USER
+sudo su - CI_SERVICE_USER
+
+# Navigate to the application directory
+cd /opt/APP_NAME/registry
+
+# Start the Docker Registry and Caddy services using the project's registry compose file
+docker compose -f docker-compose.registry.yml up -d
+
+# Verify services are running
+docker compose -f docker-compose.registry.yml ps
+
+# Check service logs for any issues
+docker compose -f docker-compose.registry.yml logs caddy
+docker compose -f docker-compose.registry.yml logs registry
+
+# Exit CI_SERVICE_USER shell
+exit
+```
+
+#### 5.8 Install Systemd Service for Docker Registry
 
 ```bash
 # Install systemd service from repository
@@ -911,27 +916,8 @@ sudo systemctl daemon-reload
 sudo systemctl enable docker-registry.service
 sudo systemctl start docker-registry.service
 
-# Verify services are running
+# Monitor startup
-sudo systemctl status docker-registry.service
+sudo journalctl -u docker-registry.service -f
-
-# Check service logs for any issues
-sudo journalctl -u docker-registry.service -f --no-pager -n 50
-```
-
-#### 5.8 Verify Docker Registry Service
-
-```bash
-# Check that the service is running properly
-sudo systemctl status docker-registry.service
-
-# Check that containers are running
-sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml ps"
-
-# Check Caddy logs
-sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml logs caddy"
-
-# Check Registry logs  
-sudo su - CI_SERVICE_USER -c "cd /opt/APP_NAME/registry && docker compose -f docker-compose.registry.yml logs registry"
 ```
 
 #### 5.9 Test Registry Setup
@@ -1389,7 +1375,6 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
 - `docker-compose.registry.yml` - Docker Compose configuration from project repository
 - `Caddyfile` - Caddy reverse proxy configuration from project repository  
 - `openssl.conf` - OpenSSL configuration for certificate generation from project repository
-- `docker-registry.service` - Systemd service file for Docker Registry
 - `certs/` - Symbolic links to FHS-compliant certificate locations
 
 **System Files** (FHS-compliant locations):
@@ -1399,17 +1384,12 @@ The Docker Registry setup now follows the Filesystem Hierarchy Standard (FHS) fo
   - `/etc/registry/certs/ca/` - CA certificates (mode 644)  
   - `/etc/registry/certs/requests/` - Certificate requests and configs (mode 644)
   - `/etc/registry/certs/registry.crt` - Server certificate (mode 644)
-- `/etc/registry/env/` - Environment variables and secrets:
-  - `/etc/registry/env/.env` - Registry authentication secrets (mode 600)
-- `/etc/systemd/system/docker-registry.service` - Systemd service configuration
 - `/var/log/registry/` - Registry and Caddy logs
 
 **Benefits of FHS Compliance**:
 - **Data persistence**: Registry data stored in `/var/lib/registry/data/` survives container restarts
 - **Certificate security**: Hierarchical certificate structure with proper permissions
-- **Environment security**: Secrets stored in `/etc/registry/env/` with restrictive permissions (600)
+- **Separation of concerns**: Private keys isolated from public certificates
-- **Service management**: Systemd service for proper startup, shutdown, and monitoring
-- **Separation of concerns**: Private keys isolated from public certificates, secrets isolated from configs
 - **Log management**: Logs in `/var/log/registry/` for centralized logging
 - **Configuration separation**: App configs in app directory, system data in system directories
 ```
@@ -2396,30 +2376,6 @@ You have successfully set up a complete CI/CD pipeline with:
 
 Your application is now ready for continuous deployment with proper security, monitoring, and maintenance procedures in place!
 
-### Cleanup Installation Files
-
-After successful setup, you can clean up the installation files to remove sensitive information:
-
-```bash
-# Remove installation files (optional - for security)
-sudo rm -rf /opt/APP_NAME/registry/openssl.conf
-sudo rm -rf /opt/APP_NAME/registry/certs/requests/openssl.conf
-
-# Note: DO NOT remove these files as they are needed for operation:
-# - /opt/APP_NAME/registry/docker-compose.registry.yml
-# - /opt/APP_NAME/registry/Caddyfile  
-# - /opt/APP_NAME/registry/docker-registry.service
-# - /opt/APP_NAME/registry/certs/ (symlinks to FHS locations)
-# - /etc/registry/env/.env (contains the actual secrets)
-# - /etc/systemd/system/docker-registry.service
-```
-
-**Security Note**: The `.env` file in `/etc/registry/env/.env` contains sensitive authentication data and should be:
-- **Backed up securely** if needed for disaster recovery
-- **Never committed to version control**
-- **Protected with proper permissions** (600 - owner read/write only)
-- **Rotated regularly** by updating the password and regenerating the hash
-
 ### Step 8.6 CI/CD Workflow Summary Table
 
 | Stage   | What Runs                | How/Where                |

registry/Caddyfile

@@ -6,7 +6,7 @@
   # require auth on writes
   @writes method PUT POST PATCH DELETE
   basic_auth @writes {
-    registry-user {env.REGISTRY_PASSWORD_HASH}
+    registry-user DOCKER_REGISTRY_PASSWORD
   }
 
   # also require auth on the /v2/ ping so Docker sends creds
@@ -15,7 +15,7 @@
     method GET
   }
   basic_auth @v2ping {
-    registry-user {env.REGISTRY_PASSWORD_HASH}
+    registry-user DOCKER_REGISTRY_PASSWORD
   }
 
   reverse_proxy /v2/* registry:5000

registry/docker-compose.registry.yml

@@ -27,5 +27,3 @@ services:
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - ./certs:/etc/certs:ro
-    env_file:
-      - /etc/registry/env/.env

registry/docker-registry.service

@@ -1,5 +1,5 @@
 [Unit]
-Description=Docker Registry with Caddy Reverse Proxy
+Description=Docker Registry with Caddy
 After=docker.service
 Requires=docker.service
 
@@ -11,15 +11,7 @@ Group=CI_SERVICE_USER
 WorkingDirectory=/opt/APP_NAME/registry
 ExecStart=/usr/bin/docker compose -f docker-compose.registry.yml up -d
 ExecStop=/usr/bin/docker compose -f docker-compose.registry.yml down
-ExecReload=/usr/bin/docker compose -f docker-compose.registry.yml restart
+ExecReload=/usr/bin/docker compose -f docker-compose.registry.yml down && /usr/bin/docker compose -f docker-compose.registry.yml up -d
-TimeoutStartSec=0
-
-# Security settings
-NoNewPrivileges=true
-PrivateTmp=true
-ProtectSystem=strict
-ProtectHome=true
-ReadWritePaths=/opt/APP_NAME/registry /etc/registry /var/lib/registry /var/log/registry
 
 [Install]
 WantedBy=multi-user.target