From 3e3699bbc64a033e11ec949028e79fec0e38dada Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 28 Feb 2026 19:40:38 +0000
Subject: [PATCH] [ci skip] add TLS to private registry, switch to
 registry.viktorbarzin.me

---
 .woodpecker/build-cli.yml                   |  8 +++++++-
 .woodpecker/f1-stream.yml                   |  8 +++++++-
 modules/docker-registry/docker-compose.yml  |  1 +
 modules/docker-registry/nginx_registry.conf | 10 +++++++---
 stacks/infra/main.tf                        |  9 ++++++++-
 5 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/.woodpecker/build-cli.yml b/.woodpecker/build-cli.yml
index 583fc7ee..0ecfeb70 100644
--- a/.woodpecker/build-cli.yml
+++ b/.woodpecker/build-cli.yml
@@ -15,7 +15,9 @@ steps:
       username: "viktorbarzin"
       password:
         from_secret: dockerhub-pat
-      repo: viktorbarzin/infra
+      repo:
+        - viktorbarzin/infra
+        - registry.viktorbarzin.me:5050/infra
       logins:
         - registry: https://index.docker.io/v1/
           username: viktorbarzin
@@ -24,3 +26,7 @@ steps:
       dockerfile: cli/Dockerfile
       context: cli
       auto_tag: true
+      cache_from:
+        - "type=registry,ref=registry.viktorbarzin.me:5050/infra:buildcache"
+      cache_to:
+        - "type=registry,ref=registry.viktorbarzin.me:5050/infra:buildcache,mode=max"
diff --git a/.woodpecker/f1-stream.yml b/.woodpecker/f1-stream.yml
index fa9f32b3..5b408623 100644
--- a/.woodpecker/f1-stream.yml
+++ b/.woodpecker/f1-stream.yml
@@ -16,7 +16,9 @@ steps:
       username: "viktorbarzin"
       password:
         from_secret: dockerhub-pat
-      repo: viktorbarzin/f1-stream
+      repo:
+        - viktorbarzin/f1-stream
+        - registry.viktorbarzin.me:5050/f1-stream
       logins:
         - registry: https://index.docker.io/v1/
           username: viktorbarzin
@@ -27,6 +29,10 @@ steps:
       platforms: linux/amd64
       provenance: false
       tags: latest
+      cache_from:
+        - "type=registry,ref=registry.viktorbarzin.me:5050/f1-stream:buildcache"
+      cache_to:
+        - "type=registry,ref=registry.viktorbarzin.me:5050/f1-stream:buildcache,mode=max"
 
   - name: deploy
     image: bitnami/kubectl
diff --git a/modules/docker-registry/docker-compose.yml b/modules/docker-registry/docker-compose.yml
index 2834ac58..d078639a 100644
--- a/modules/docker-registry/docker-compose.yml
+++ b/modules/docker-registry/docker-compose.yml
@@ -114,6 +114,7 @@ services:
       - "5050:5050"
     volumes:
       - /opt/registry/nginx.conf:/etc/nginx/nginx.conf:ro
+      - /opt/registry/tls:/etc/nginx/tls:ro
       - nginx-cache:/var/cache/nginx
     networks:
       - registry
diff --git a/modules/docker-registry/nginx_registry.conf b/modules/docker-registry/nginx_registry.conf
index efa44d79..ef52311d 100644
--- a/modules/docker-registry/nginx_registry.conf
+++ b/modules/docker-registry/nginx_registry.conf
@@ -223,11 +223,15 @@ http {
         }
     }
 
-    # --- Private R/W Registry (port 5050) ---
+    # --- Private R/W Registry (port 5050, TLS) ---
 
     server {
-        listen 5050;
-        server_name _;
+        listen 5050 ssl;
+        server_name registry.viktorbarzin.me;
+
+        ssl_certificate /etc/nginx/tls/fullchain.pem;
+        ssl_certificate_key /etc/nginx/tls/privkey.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
 
         client_max_body_size 0;
         proxy_request_buffering off;
diff --git a/stacks/infra/main.tf b/stacks/infra/main.tf
index 3e72f869..8e79a0c8 100644
--- a/stacks/infra/main.tf
+++ b/stacks/infra/main.tf
@@ -149,7 +149,7 @@ module "docker-registry-template" {
     "systemctl stop nginx || true",
     "systemctl disable nginx || true",
     # Create directory structure
-    "mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private",
+    "mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private /opt/registry/tls",
     # Write Docker Compose file
     format("echo %s | base64 -d > /opt/registry/docker-compose.yml",
       base64encode(file("${path.root}/../../modules/docker-registry/docker-compose.yml"))
@@ -158,6 +158,13 @@ module "docker-registry-template" {
     format("echo %s | base64 -d > /opt/registry/nginx.conf",
       base64encode(file("${path.root}/../../modules/docker-registry/nginx_registry.conf"))
     ),
+    # Write TLS certificate for private registry (*.viktorbarzin.me wildcard)
+    format("echo %s | base64 -d > /opt/registry/tls/fullchain.pem",
+      base64encode(file("${path.root}/../../secrets/fullchain.pem"))
+    ),
+    format("echo %s | base64 -d > /opt/registry/tls/privkey.pem && chmod 600 /opt/registry/tls/privkey.pem",
+      base64encode(file("${path.root}/../../secrets/privkey.pem"))
+    ),
     # Write Docker Hub registry config (with auth)
     format("echo %s | base64 -d > /opt/registry/config-dockerhub.yml",
       base64encode(