viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] add TLS to private registry, switch to registry.viktorbarzin.me

Browse source
This commit is contained in:
Viktor Barzin 2026-02-28 19:40:38 +00:00
parent e8bcf21127
commit 3e3699bbc6
No known key found for this signature in database
GPG key ID: 0EB088298288D958
5 changed files with 30 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.woodpecker/build-cli.yml
View file

@ -15,7 +15,9 @@ steps:
username: "viktorbarzin"
password:
from_secret: dockerhub-pat
repo: viktorbarzin/infra
repo:
- viktorbarzin/infra
- registry.viktorbarzin.me:5050/infra
logins:
- registry: https://index.docker.io/v1/
username: viktorbarzin
@ -24,3 +26,7 @@ steps:
dockerfile: cli/Dockerfile
context: cli
auto_tag: true
cache_from:
- "type=registry,ref=registry.viktorbarzin.me:5050/infra:buildcache"
cache_to:
- "type=registry,ref=registry.viktorbarzin.me:5050/infra:buildcache,mode=max"

8
.woodpecker/f1-stream.yml
View file

@ -16,7 +16,9 @@ steps:
username: "viktorbarzin"
password:
from_secret: dockerhub-pat
repo: viktorbarzin/f1-stream
repo:
- viktorbarzin/f1-stream
- registry.viktorbarzin.me:5050/f1-stream
logins:
- registry: https://index.docker.io/v1/
username: viktorbarzin
@ -27,6 +29,10 @@ steps:
platforms: linux/amd64
provenance: false
tags: latest
cache_from:
- "type=registry,ref=registry.viktorbarzin.me:5050/f1-stream:buildcache"
cache_to:
- "type=registry,ref=registry.viktorbarzin.me:5050/f1-stream:buildcache,mode=max"
- name: deploy
image: bitnami/kubectl

1
modules/docker-registry/docker-compose.yml
View file

@ -114,6 +114,7 @@ services:
- "5050:5050"
volumes:
- /opt/registry/nginx.conf:/etc/nginx/nginx.conf:ro
- /opt/registry/tls:/etc/nginx/tls:ro
- nginx-cache:/var/cache/nginx
networks:
- registry

10
modules/docker-registry/nginx_registry.conf
View file

@ -223,11 +223,15 @@ http {
}
}
# --- Private R/W Registry (port 5050) ---
# --- Private R/W Registry (port 5050, TLS) ---
server {
listen 5050;
server_name _;
listen 5050 ssl;
server_name registry.viktorbarzin.me;
ssl_certificate /etc/nginx/tls/fullchain.pem;
ssl_certificate_key /etc/nginx/tls/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
client_max_body_size 0;
proxy_request_buffering off;

9
stacks/infra/main.tf
View file

@ -149,7 +149,7 @@ module "docker-registry-template" {
"systemctl stop nginx || true",
"systemctl disable nginx || true",
# Create directory structure
"mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private",
"mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private /opt/registry/tls",
# Write Docker Compose file
format("echo %s | base64 -d > /opt/registry/docker-compose.yml",
base64encode(file("${path.root}/../../modules/docker-registry/docker-compose.yml"))
@ -158,6 +158,13 @@ module "docker-registry-template" {
format("echo %s | base64 -d > /opt/registry/nginx.conf",
base64encode(file("${path.root}/../../modules/docker-registry/nginx_registry.conf"))
),
# Write TLS certificate for private registry (*.viktorbarzin.me wildcard)
format("echo %s | base64 -d > /opt/registry/tls/fullchain.pem",
base64encode(file("${path.root}/../../secrets/fullchain.pem"))
),
format("echo %s | base64 -d > /opt/registry/tls/privkey.pem && chmod 600 /opt/registry/tls/privkey.pem",
base64encode(file("${path.root}/../../secrets/privkey.pem"))
),
# Write Docker Hub registry config (with auth)
format("echo %s | base64 -d > /opt/registry/config-dockerhub.yml",
base64encode(