init

ansible/roles/docker_registry/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+install_dir: /opt/docker-registry
+port: 5050
+ssl_cert: /etc/letsencrypt/live/tiararodney.com/fullchain.pem
+ssl_key: /etc/letsencrypt/live/tiararodney.com/privkey.pem

ansible/roles/docker_registry/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+-
+    name: restart docker-registry
+    community.docker.docker_compose_v2:
+        project_src: "{{ install_dir }}"
+        state: restarted
+-
+    name: reload apache
+    service:
+        name: "{{ apache_service }}"
+        state: reloaded

ansible/roles/docker_registry/tasks/deploy-registry.yml

@@ -0,0 +1,61 @@
+---
+-
+    name: Ensure install directory exists
+    file:
+        path: "{{ install_dir }}"
+        state: directory
+        mode: "0755"
+
+-
+    name: Deploy registry configuration
+    template:
+        src: config.yml.j2
+        dest: "{{ install_dir }}/config.yml"
+    notify: restart docker-registry
+
+-
+    name: Deploy docker-compose file
+    template:
+        src: docker-compose.yml.j2
+        dest: "{{ install_dir }}/docker-compose.yml"
+
+-
+    name: Start registry stack
+    include_role:
+        name: docker
+        tasks_from: start-compose
+    vars:
+        compose_project_dir: "{{ install_dir }}"
+
+-
+    name: Load Apache variables
+    include_vars:
+        file: "{{ role_path }}/../apache/vars/{{ ansible_os_family }}.yml"
+
+-
+    name: Deploy registry vhost
+    template:
+        src: vhost.conf.j2
+        dest: "{{ apache_sites_available }}/docker-registry-{{ hostname | regex_replace('\\..*', '') }}.conf"
+    notify: reload apache
+
+-
+    name: Enable registry vhost
+    command: "{{ apache_enable_site_cmd }} docker-registry-{{ hostname | regex_replace('\\..*', '') }}"
+    args:
+        creates: "{{ apache_sites_enabled }}/docker-registry-{{ hostname | regex_replace('\\..*', '') }}.conf"
+    notify: reload apache
+
+-
+    name: Deploy registry backup script
+    include_role:
+        name: docker
+        tasks_from: deploy-backup
+    vars:
+        backup_name: docker-registry
+        backup_hook_dir: /etc/restic/pre-backup.d
+        backup_volumes:
+            - docker-registry_registry_data
+        backup_files:
+            - "{{ install_dir }}/docker-compose.yml"
+            - "{{ install_dir }}/config.yml"

ansible/roles/docker_registry/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+-
+    name: Deploy registry
+    ansible.builtin.include_tasks: deploy-registry.yml

ansible/roles/docker_registry/tasks/restore-registry.yml

@@ -0,0 +1,22 @@
+---
+-
+    name: Check if registry backup archive exists
+    stat:
+        path: /var/backups/docker-registry/docker-registry_registry_data.tar.gz
+    register: registry_backup
+
+-
+    name: Restore registry volume from backup
+    command: >
+        docker run --rm
+        -v docker-registry_registry_data:/data
+        -v /var/backups/docker-registry:/backup:ro
+        alpine sh -c "tar xzf /backup/docker-registry_registry_data.tar.gz -C /data"
+    when: registry_backup.stat.exists
+
+-
+    name: Restart registry after restore
+    community.docker.docker_compose_v2:
+        project_src: "{{ install_dir }}"
+        state: restarted
+    when: registry_backup.stat.exists

ansible/roles/docker_registry/templates/config.yml.j2

@@ -0,0 +1,13 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  filesystem:
+    rootdirectory: /var/lib/registry
+  delete:
+    enabled: true
+http:
+  addr: :5000
+proxy:
+  remoteurl: {{ remote_url | default('https://registry-1.docker.io') }}

ansible/roles/docker_registry/templates/docker-compose.yml.j2

@@ -0,0 +1,12 @@
+services:
+    registry:
+        image: registry:2
+        ports:
+            - "127.0.0.1:{{ port }}:5000"
+        volumes:
+            - registry_data:/var/lib/registry
+            - ./config.yml:/etc/docker/registry/config.yml:ro
+        restart: unless-stopped
+
+volumes:
+    registry_data:

ansible/roles/docker_registry/templates/vhost.conf.j2

@@ -0,0 +1,28 @@
+<VirtualHost *:80>
+    ServerName {{ hostname }}
+    Redirect permanent / https://{{ hostname }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ hostname }}
+    SSLEngine on
+    SSLCertificateFile {{ ssl_cert }}
+    SSLCertificateKeyFile {{ ssl_key }}
+
+    # Return an empty OCI index for referrers requests.
+    # registry:2 does not support the OCI referrers API and proxies
+    # the request to upstream which may return HTML error pages,
+    # causing Docker 29+ to fail with "failed to decode referrers index".
+    RewriteEngine on
+    RewriteRule "^/v2/.*/referrers/" - [R=200,L,E=REFERRERS:1]
+    Header always set Content-Type "application/vnd.oci.image.index.v1+json" env=REFERRERS
+    <LocationMatch "^/v2/.*/referrers/">
+        ErrorDocument 200 '{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[]}'
+    </LocationMatch>
+
+    ProxyPreserveHost on
+    RequestHeader set X-Forwarded-Proto "https"
+    RequestHeader set X-Forwarded-Ssl "on"
+    ProxyPass / http://127.0.0.1:{{ port }}/
+    ProxyPassReverse / http://127.0.0.1:{{ port }}/
+</VirtualHost>