devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
sharenet/registry/docker-registry.yml
continuist 98c5fb948f
Some checks failed
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Has been cancelled
Details
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Has been cancelled
Details
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Has been cancelled
Details
Change from docker to podman and add security hardening
2025-08-18 23:03:06 -04:00

66 lines
1.9 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

services:
registry:
image: registry@sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
container_name: registry
restart: unless-stopped
user: "1000:1000"
environment:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
# Disable image deletion for security
REGISTRY_STORAGE_DELETE_ENABLED: "false"
# Listen only inside the compose network
REGISTRY_HTTP_ADDR: 0.0.0.0:5000
# TLS configuration
REGISTRY_HTTP_TLS_CERTIFICATE: /etc/registry/certs/registry.crt
REGISTRY_HTTP_TLS_KEY: /etc/registry/certs/private/registry.key
volumes:
- ./registry:/var/lib/registry
- /etc/registry/certs:/etc/registry/certs:ro
expose:
- "5000" # internal only, not published
deploy:
resources:
limits:
cpus: '1.0'
memory: 1G
reservations:
cpus: '0.5'
memory: 512M
security_opt:
- no-new-privileges:true
- seccomp:unconfined
read_only: true
tmpfs:
- /tmp:noexec,nosuid,size=100m
nginx:
image: nginx@sha256:6650513efd1d27c1f8a5351cbd33edf85cc7e3b73dc4d4d4e8f8c0b3d0b3d0b3d
container_name: nginx
restart: unless-stopped
user: "1000:1000"
depends_on:
- registry
ports:
- "443:443" # HTTPS only
- "4443:4443"
# deliberately no "80:80" no HTTP
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- /etc/registry/certs:/etc/registry/certs:ro
- /etc/registry/auth/.htpasswd:/etc/nginx/.htpasswd:ro
- /var/log/nginx:/var/log/nginx
- ./containers-policy.json:/etc/containers/policy.json:ro
deploy:
resources:
limits:
cpus: '0.5'
memory: 512M
reservations:
cpus: '0.25'
memory: 256M
security_opt:
- no-new-privileges:true
- seccomp:unconfined
read_only: true
tmpfs:
- /tmp:noexec,nosuid,size=100m
Reference in a new issue View git blame Copy permalink