Testable version of initial draft

config/etc/nginx/conf.d → config/etc/nginx/nginx.conf

@@ -16,17 +16,18 @@ http {
 
   server {
     listen 443 ssl;
-    server_name ${DOMAIN};
+    server_name docker.cdot.systems #${DOMAIN};
 
     # SSL
-    ssl_certificate /etc/nginx/conf.d/domain.crt;
-    ssl_certificate_key /etc/nginx/conf.d/domain.key;
+    ssl_certificate /etc/letsencrypt/live/docker.cdot.systems/fullchain.pem
+    ssl_certificate_key /etc/letsencrypt/live/docker.cdot.systems/privkey.pem
 
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
     ssl_protocols TLSv1.1 TLSv1.2;
     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
+    ssl_trusted_certificate /etc/letsencrypt/live/docker.cdot.systems/chain.pem
 
     # disable any limits to avoid HTTP 413 for large image uploads
     client_max_body_size 0;
@@ -41,15 +42,11 @@ http {
         return 404;
       }
 
-      # To add basic authentication to v2 use auth_basic setting.
-      auth_basic "Registry realm";
-      auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
-
       ## If $docker_distribution_api_version is empty, the header is not added.
       ## See the map directive above where this variable is defined.
       add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
 
-      proxy_pass                          http://registry:${PORT};
+      proxy_pass                          http://registry:5000; #${PORT};
       proxy_set_header  Host              $http_host;   # required for docker client's sake
       proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
       proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;

config/registry-config.yaml

@@ -13,29 +13,5 @@ storage:
 http:
   addr: 443:5000 # https://docs.docker.com/registry/configuration/#letsencrypt
   host: docker.cdot.systems
-  tls:
-    certificate: /path/to/x509/public
-    key: /path/to/x509/private
-    letsencrypt:
-      cachefile: /path/to/cache-file
-      email: [email protected]
-      #hosts: [myregistryaddress.org]
   headers:
     X-Content-Type-Options: [nosniff]
-auth:
- token:
-  realm: token-realm
-  service: token-service
-  issuer: registry-token-issuer
-  rootcertbundle: /root/certs/bundle
-# redis:
-#   addr: localhost:6379
-#   password: asecret
-#   db: 0
-#   dialtimeout: 10ms
-#   readtimeout: 10ms
-#   writetimeout: 10ms
-#   pool:
-#     maxidle: 16
-#     maxactive: 64
-#     idletimeout: 300s

docker-compose.yaml

@@ -6,29 +6,23 @@ services:
       - 443:443
     restart: unless-stopped
     volumes:
-      - ./config/etc/nginx/conf.d:/etc/nginx/conf.d
+      - ./config/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
+    depends_on: 
+      - registry
 
   # SSL certificate management for nginx
   certbot:
     image: certbot/certbot
     container_name: 'certbot'
     volumes:
-      - ./config/etc/letsencrypt:/etc/letsencrypt
+      - /etc/letsencrypt:/etc/letsencrypt
     restart: always
     # This will check if your certificate is up for renewal every 12 hours as recommended by Let’s Encrypt
     entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
 
   registry:
     restart: always
     image: registry:2
-    environment:
-      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
-      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
-      REGISTRY_AUTH: token
-      REGISTRY_AUTH_TOKEN_REALM: Registry Realm
-      REGISTRY_AUTH_TOKEN_SERVICE: Token services
-      REGISTRY_AUTH_TOKEN_ISSUER: Registry token issuer
-      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /root/certs/bundle
     volumes:
       - /mnt/docker0storage/registry:/var/lib/registry
-
+      #- ./config/registry-config.yaml:/config/registry-config.yaml  Untested use of the registry-config.yaml file