roles: add oci-registry

2026-01-31 01:05:23 +01:00 · 2022-11-21 02:48:12 +01:00
parent 011ed73be9
commit 299146e65a
7 changed files with 55 additions and 0 deletions
--- a/common/http.nix
+++ b/common/http.nix
@@ -21,6 +21,7 @@ let

  localProxyVhosts = mapVhostsByAttr "proxyLocalPort" (n: vh: commonVhostAttrs // {
    locations."/".proxyPass = "http://localhost:${toString vh.proxyLocalPort}";
+    locations."/".extraConfig = "client_max_body_size 0;";
  });

  localDirVhosts = mapVhostsByAttr "root" (n: vh: commonVhostAttrs // {
--- a/machines/altair/default.nix
+++ b/machines/altair/default.nix
@@ -32,6 +32,7 @@ in {
    monitoring.enable = true;
    nas-client.enable = true;
    netplay-index.enable = true;
+    oci-registry.enable = true;
    redirector.enable = true;
  };

--- a/roles/default.nix
+++ b/roles/default.nix
@@ -8,6 +8,7 @@
    ./monitoring
    ./nas-client
    ./netplay-index
+    ./oci-registry
    ./redirector
  ];
 }
--- a/roles/oci-registry/default.nix
+++ b/roles/oci-registry/default.nix
@@ -0,0 +1,32 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.my.roles.oci-registry;
+
+  port = 8039;
+in {
+  options.my.roles.oci-registry.enable = lib.mkEnableOption "OCI containers registry";
+
+  config = lib.mkIf cfg.enable {
+    age.secrets.oci-registry-htpasswd = {
+      file = ../../secrets/oci-registry-htpasswd.age;
+      owner = config.systemd.services.docker-registry.serviceConfig.User;
+    };
+
+    services.dockerRegistry = {
+      enable = true;
+      inherit port;
+
+      enableGarbageCollect = true;
+
+      extraConfig = {
+        auth.htpasswd = {
+          realm = "basic-realm";
+          path = config.age.secrets.oci-registry-htpasswd.path;
+        };
+      };
+    };
+
+    my.http.vhosts."oci-registry.dolphin-emu.org".proxyLocalPort = port;
+  };
+}
--- a/secrets/oci-registry-htpasswd.age
+++ b/secrets/oci-registry-htpasswd.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 QNIwVA 14pyefJmx1wb12EH0D763B8LGU4+wTh85GYoWika93s
+9+pKFjoxhoh2uPdzx2uCR26ug1JtzVUXLS7q/eZEbiw
+-> ssh-ed25519 K3b7BA hRXUU3bLRClujDLRHVG3eSf70WASiCtZx2JARr7O3lU
+Mww8GzB6E/rzoqBfso/kJN9c4KVmXUtQbfyNLi9TLQY
+-> dO-GI7>!-grease ?{eJ` xLDc.
+
+--- zfcdrI6wxzf7okw8fHCwqqimsAbkDsGTIOv1BCw2chE
+<EFBFBD>0`<60>M<EFBFBD>G<EFBFBD>> <20><17><><EFBFBD>+<2B><>w|<7C><><EFBFBD><EFBFBD><EFBFBD>]N?!<21>:J<><15>s$5]<5D>k݅<6B><DD85><07><>m<EFBFBD>0<EFBFBD>EԐY<D490><59>蔔<EFBFBD><E89494>;U<><16>(ݶ<><DDB6>6<EFBFBD><36><14>@<40><><EFBFBD>]D<><44><EFBFBD>=<3D><>l
--- a/secrets/oci-registry-password.age
+++ b/secrets/oci-registry-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 QNIwVA TlFcJcdA3LUQ4dmYwKeLB3Rd6s1kfudu8bEe7Mf0flE
+mGY94ptA9Lm4S7bVsuBPOXYqdO2AhS1gvGTsz50QNmc
+-> ssh-ed25519 K3b7BA aZ8exT1yLsBdNRvXnmEKJ0asNr9UlBq31FzEiHDsrjI
+vehMEXEkO5daAb8ZEY102Qv7G4lxEKfyrkeCUc2rytQ
+-> v1\-grease ^~0$Q[ B<zW#t D:nY 7rP
+
+--- y1nfHOb28MLKP6IH5JZmj8ir8w2J65/nfSZL5UvqKQY
+(v<><76>-<2D><><EFBFBD><1C><><EFBFBD>7<15><>7<EFBFBD><37><EFBFBD>Ӌ<EFBFBD><D38B>w<1E>}<7D>v<EFBFBD><76><EFBFBD><EFBFBD>O<EFBFBD>k<EFBFBD><6B>誹a<E8AAB9><61><EFBFBD>e{I<><10>D5E^<5E>ó<EFBFBD>D<EFBFBD><44>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,6 +17,8 @@ let
    "infra-smtp-relay.age"
    "mastodon-smtp-password.age"
    "nas-credentials.age"
+    "oci-registry-htpasswd.age"
+    "oci-registry-password.age"
  ];
 in
  builtins.listToAttrs (builtins.map