add htpasswd auth to private docker registry + expose at registry.viktorbarzin.me

- Add auth.htpasswd section to config-private.yml - Mount htpasswd file in registry-private container, fix healthcheck for 401 - Rename registry UI from registry.viktorbarzin.me → docker.viktorbarzin.me - Add Docker CLI ingress at registry.viktorbarzin.me (HTTPS backend, no rate-limit, unlimited body) - Add docker to cloudflare_proxied_names (registry stays non-proxied) - Add Kyverno ClusterPolicy to sync registry-credentials secret to all namespaces - Update infra provisioning to install apache2-utils and generate htpasswd from Vault
2026-03-22 22:10:10 +02:00 · 2026-03-22 22:10:10 +02:00 · 36171bcda4
commit 36171bcda4
parent e4f478b490
6 changed files with 123 additions and 5 deletions
--- a/stacks/infra/main.tf
+++ b/stacks/infra/main.tf
@ -21,6 +21,11 @@ data "vault_kv_secret_v2" "secrets" {
  name  = "infra"
 }

+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
 # ---------------------------------------------------------------------------
 # Locals
 # ---------------------------------------------------------------------------
@ -176,8 +181,8 @@ module "docker-registry-template" {

  # Setup registry config and start container
  provision_cmds = [
-    # Install and enable QEMU guest agent for remote management
-    "apt-get install -y qemu-guest-agent",
+    # Install dependencies (QEMU guest agent + htpasswd for registry auth)
+    "apt-get install -y qemu-guest-agent apache2-utils",
    "systemctl enable qemu-guest-agent",
    "systemctl start qemu-guest-agent",
    # Stop host nginx — we run nginx inside Docker instead
@ -185,6 +190,11 @@ module "docker-registry-template" {
    "systemctl disable nginx || true",
    # Create directory structure
    "mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private /opt/registry/tls",
+    # Generate htpasswd file for private registry authentication
+    format("htpasswd -Bbn %s %s > /opt/registry/htpasswd",
+      data.vault_kv_secret_v2.viktor.data["registry_user"],
+      data.vault_kv_secret_v2.viktor.data["registry_password"]
+    ),
    # Write Docker Compose file
    format("echo %s | base64 -d > /opt/registry/docker-compose.yml",
      base64encode(file("${path.root}/../../modules/docker-registry/docker-compose.yml"))