add htpasswd auth to private docker registry + expose at registry.viktorbarzin.me

- Add auth.htpasswd section to config-private.yml - Mount htpasswd file in registry-private container, fix healthcheck for 401 - Rename registry UI from registry.viktorbarzin.me → docker.viktorbarzin.me - Add Docker CLI ingress at registry.viktorbarzin.me (HTTPS backend, no rate-limit, unlimited body) - Add docker to cloudflare_proxied_names (registry stays non-proxied) - Add Kyverno ClusterPolicy to sync registry-credentials secret to all namespaces - Update infra provisioning to install apache2-utils and generate htpasswd from Vault
2026-03-22 22:10:10 +02:00 · 2026-03-22 22:10:10 +02:00 · 36171bcda4
commit 36171bcda4
parent e4f478b490
6 changed files with 123 additions and 5 deletions
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@ -186,10 +186,10 @@ module "proxmox" {
  }
 }

-# https://registry.viktorbarzin.me/
+# https://docker.viktorbarzin.me/ (registry web UI)
 module "docker-registry-ui" {
  source          = "./factory"
-  name            = "registry"
+  name            = "docker"
  external_name   = "docker-registry.viktorbarzin.lan"
  port            = 8080
  tls_secret_name = var.tls_secret_name
@ -206,6 +206,25 @@ module "docker-registry-ui" {
  }
 }

+# https://registry.viktorbarzin.me/ (Docker CLI push/pull endpoint)
+module "docker-registry-cli" {
+  source           = "./factory"
+  name             = "registry"
+  external_name    = "docker-registry.viktorbarzin.lan"
+  port             = 5050
+  backend_protocol = "HTTPS"
+  tls_secret_name  = var.tls_secret_name
+  protected        = false    # Docker CLI uses htpasswd, NOT Authentik
+  max_body_size    = "0"      # unlimited - Docker layers can be large
+  depends_on       = [kubernetes_namespace.reverse-proxy]
+  extra_annotations = {
+    # Skip rate-limit (Docker push/pull generates many rapid requests)
+    # Keep CrowdSec for L7 protection
+    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
+    "gethomepage.dev/enabled"                          = "false"
+  }
+}
+
 # https://valchedrym.viktorbarzin.me/
 module "valchedrym" {
  source            = "./factory"