services:
  registry:
    image: registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
    container_name: registry
    restart: unless-stopped
    user: "1000:1000"
    environment:
      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
      # Disable image deletion for security
      REGISTRY_STORAGE_DELETE_ENABLED: "false"
      # Listen only inside the compose network
      REGISTRY_HTTP_ADDR: 0.0.0.0:5000
      # TLS configuration
      REGISTRY_HTTP_TLS_CERTIFICATE: /etc/registry/certs/registry.crt
      REGISTRY_HTTP_TLS_KEY: /etc/registry/certs/private/registry.key
    volumes:
      - ./registry:/var/lib/registry
      - /etc/registry/certs:/etc/registry/certs:ro
    expose:
      - "5000"   # internal only, not published
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 1G
        reservations:
          cpus: '0.5'
          memory: 512M
    security_opt:
      - no-new-privileges:true
      - seccomp:unconfined
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=100m

  nginx:
    image: nginx@sha256:6650513efd1d27c1f8a5351cbd33edf85cc7e3b73dc4d4d4e8f8c0b3d0b3d0b3d
    container_name: nginx
    restart: unless-stopped
    user: "1000:1000"
    depends_on:
      - registry
    ports:
      - "443:443"   # HTTPS only
      - "4443:4443"
      # deliberately no "80:80" – no HTTP
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - /etc/registry/certs:/etc/registry/certs:ro
      - /etc/registry/auth/.htpasswd:/etc/nginx/.htpasswd:ro
      - /var/log/nginx:/var/log/nginx
      - ./containers-policy.json:/etc/containers/policy.json:ro
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M
    security_opt:
      - no-new-privileges:true
      - seccomp:unconfined
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=100m