(registry_auth) {
    basicauth {
        {env.REGISTRY_USERNAME} {env.REGISTRY_PASSWORD_HASH}
    }
}

YOUR_DOMAIN_NAME {
    # Use generated TLS certificate
    tls /etc/caddy/certs/registry.crt /etc/caddy/certs/registry.key

    # Security headers
    header {
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
    }

    # Handle registry operations based on URL patterns
    @push_operations {
        path /v2/*/blobs/uploads/*
        path /v2/*/manifests/*
        method PUT POST PATCH DELETE
    }

    @pull_operations {
        path /v2/*/blobs/*
        path /v2/*/manifests/*
        path /v2/_catalog
        path /v2/*/tags/list
        method GET HEAD OPTIONS
    }

    # Require authentication for push operations
    handle @push_operations {
        import registry_auth
        reverse_proxy registry:5000 {
            header_up Authorization {http.request.header.Authorization}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
            header_up X-Forwarded-Host {host}
        }
    }

    # Allow unauthenticated pull operations
    handle @pull_operations {
        reverse_proxy registry:5000 {
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
            header_up X-Forwarded-Host {host}
        }
    }

    # Block all other requests
    handle {
        respond "Registry operation not allowed" 405
    }

    # Logging
    log {
        output file /var/log/caddy/registry.log
        format json
        level INFO
    }

    # Compression
    encode zstd gzip
}