[ci] Auto-sync modules/docker-registry/* to registry VM + runbook docs

Replaces the manual scp+bounce sequence that landed registry:2.8.3 on 10.0.20.10 today (see commit 7cb44d72 + nginx-DNS-trap in runbook). Addresses the "no repeat manual fixes" preference — future changes to docker-compose.yml / fix-broken-blobs.sh / nginx_registry.conf / config-private.yml / cleanup-tags.sh now deploy through CI. Pipeline (.woodpecker/registry-config-sync.yml) mirrors pve-nfs-exports-sync.yml: ssh-keyscan pin, scp the whole managed set, bounce compose only when compose-visible files changed, always restart nginx after a compose bounce (critical — nginx caches upstream DNS), end with a dry-run fix-broken-blobs.sh to catch regressions. Credentials: - Woodpecker repo-secret `registry_ssh_key` (events: push, manual) - Mirror at Vault `secret/woodpecker/registry_ssh_key` (private_key / public_key / known_hosts_entry) - Public key on /root/.ssh/authorized_keys on 10.0.20.10 - Key label: woodpecker-registry-config-sync Runbook updated with "Auto-sync pipeline" section pointing at the new flow + manual override command. Closes: code-3vl Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 17:32:12 +00:00 · 2026-04-19 17:32:12 +00:00 · 34ee282d88
commit 34ee282d88
parent a641dc744f
2 changed files with 184 additions and 0 deletions
--- a/docs/runbooks/registry-vm.md
+++ b/docs/runbooks/registry-vm.md
@ -140,6 +140,34 @@ ssh root@10.0.20.10 '
 '
 ```

+## Auto-sync pipeline
+
+Changes to `modules/docker-registry/{docker-compose.yml, fix-broken-blobs.sh,
+cleanup-tags.sh, nginx_registry.conf, config-private.yml}` deploy
+automatically via `.woodpecker/registry-config-sync.yml`:
+
+- Fires on `push` to master touching any of those paths, or via `manual`
+  event (Woodpecker UI / API).
+- SCPs every managed file to `/opt/registry/` on `10.0.20.10`.
+- Bounces containers + nginx when a compose-visible file changed; leaves
+  them alone when only scripts changed (cron picks up automatically).
+- Runs a dry-run `fix-broken-blobs.sh` at the end to verify the registry
+  is still coherent.
+
+SSH credentials: Woodpecker repo-secret `registry_ssh_key` (ed25519,
+provisioned 2026-04-19). Public key at `/root/.ssh/authorized_keys` on
+`10.0.20.10`. Private key mirrored at `secret/woodpecker/registry_ssh_key`
+in Vault (subkeys `private_key` / `public_key` / `known_hosts_entry`).
+
+Manual override if you need to sync right now:
+
+```sh
+curl -sf -X POST \
+  -H "Authorization: Bearer $WOODPECKER_TOKEN" \
+  "https://ci.viktorbarzin.me/api/repos/1/pipelines" \
+  -d '{"branch":"master"}' | jq .number
+```
+
 ## Bouncing registry containers — the nginx DNS trap

 `docker compose up -d` on `/opt/registry/docker-compose.yml` recreates