[ci skip] add TLS to private registry, switch to registry.viktorbarzin.me

.woodpecker/build-cli.yml

@@ -15,7 +15,9 @@ steps:
       username: "viktorbarzin"
       password:
         from_secret: dockerhub-pat
-      repo: viktorbarzin/infra
+      repo:
+        - viktorbarzin/infra
+        - registry.viktorbarzin.me:5050/infra
       logins:
         - registry: https://index.docker.io/v1/
           username: viktorbarzin
@@ -24,3 +26,7 @@ steps:
       dockerfile: cli/Dockerfile
       context: cli
       auto_tag: true
+      cache_from:
+        - "type=registry,ref=registry.viktorbarzin.me:5050/infra:buildcache"
+      cache_to:
+        - "type=registry,ref=registry.viktorbarzin.me:5050/infra:buildcache,mode=max"

.woodpecker/f1-stream.yml

@@ -16,7 +16,9 @@ steps:
       username: "viktorbarzin"
       password:
         from_secret: dockerhub-pat
-      repo: viktorbarzin/f1-stream
+      repo:
+        - viktorbarzin/f1-stream
+        - registry.viktorbarzin.me:5050/f1-stream
       logins:
         - registry: https://index.docker.io/v1/
           username: viktorbarzin
@@ -27,6 +29,10 @@ steps:
       platforms: linux/amd64
       provenance: false
       tags: latest
+      cache_from:
+        - "type=registry,ref=registry.viktorbarzin.me:5050/f1-stream:buildcache"
+      cache_to:
+        - "type=registry,ref=registry.viktorbarzin.me:5050/f1-stream:buildcache,mode=max"
 
   - name: deploy
     image: bitnami/kubectl

modules/docker-registry/docker-compose.yml

@@ -114,6 +114,7 @@ services:
       - "5050:5050"
     volumes:
       - /opt/registry/nginx.conf:/etc/nginx/nginx.conf:ro
+      - /opt/registry/tls:/etc/nginx/tls:ro
       - nginx-cache:/var/cache/nginx
     networks:
       - registry

modules/docker-registry/nginx_registry.conf

@@ -223,11 +223,15 @@ http {
         }
     }
 
-    # --- Private R/W Registry (port 5050) ---
+    # --- Private R/W Registry (port 5050, TLS) ---
 
     server {
-        listen 5050;
+        listen 5050 ssl;
-        server_name _;
+        server_name registry.viktorbarzin.me;
+
+        ssl_certificate /etc/nginx/tls/fullchain.pem;
+        ssl_certificate_key /etc/nginx/tls/privkey.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
 
         client_max_body_size 0;
         proxy_request_buffering off;

stacks/infra/main.tf

@@ -149,7 +149,7 @@ module "docker-registry-template" {
     "systemctl stop nginx || true",
     "systemctl disable nginx || true",
     # Create directory structure
-    "mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private",
+    "mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private /opt/registry/tls",
     # Write Docker Compose file
     format("echo %s | base64 -d > /opt/registry/docker-compose.yml",
       base64encode(file("${path.root}/../../modules/docker-registry/docker-compose.yml"))
@@ -158,6 +158,13 @@ module "docker-registry-template" {
     format("echo %s | base64 -d > /opt/registry/nginx.conf",
       base64encode(file("${path.root}/../../modules/docker-registry/nginx_registry.conf"))
     ),
+    # Write TLS certificate for private registry (*.viktorbarzin.me wildcard)
+    format("echo %s | base64 -d > /opt/registry/tls/fullchain.pem",
+      base64encode(file("${path.root}/../../secrets/fullchain.pem"))
+    ),
+    format("echo %s | base64 -d > /opt/registry/tls/privkey.pem && chmod 600 /opt/registry/tls/privkey.pem",
+      base64encode(file("${path.root}/../../secrets/privkey.pem"))
+    ),
     # Write Docker Hub registry config (with auth)
     format("echo %s | base64 -d > /opt/registry/config-dockerhub.yml",
       base64encode(