[Unit]
Description=Docker Registry v2 with nginx Reverse Proxy
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
User=CI_SERVICE_USER
Group=CI_SERVICE_USER
WorkingDirectory=/opt/APP_NAME/registry

# Podman rootless configuration - all state outside home
Environment=PODMAN_ROOT=/var/tmp/podman-%u/root
Environment=PODMAN_RUNROOT=/run/user/%u/podman-run
Environment=PODMAN_TMPDIR=/var/tmp/podman-%u/tmp
Environment=XDG_DATA_HOME=/var/tmp/podman-%u/xdg-data
Environment=XDG_CONFIG_HOME=/var/tmp/podman-%u/xdg-config

ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} --events-backend=file play kube registry-pod.yaml
ExecStop=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} --events-backend=file pod stop registry-pod
ExecReload=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} --events-backend=file pod restart registry-pod
TimeoutStartSec=0

# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/APP_NAME/registry /etc/registry /var/lib/registry /var/log/registry /var/tmp/podman-%u

[Install]
WantedBy=multi-user.target