version: '2'
volumes:
registry-data:
external: true
driver: rancher-nfs
registry-ssl:
external: true
driver: rancher-nfs
registry-certs:
external: true
driver: rancher-nfs
letsencrypt_letsencrypt-data_77077:
external: true
driver: rancher-nfs
registry-config:
external: true
driver: rancher-nfs
services:
registry:
image: registry:2.6
environment:
REGISTRY_HTTP_HOST: https://registry.example.com
REGISTRY_HTTP_SECRET: httpsecret
REGISTRY_LOG_LEVEL: debug
REGISTRY_STORAGE_DELETE_ENABLED: 'true'
REGISTRY_AUTH_TOKEN_REALM: https://registry.example.com/auth
REGISTRY_AUTH_TOKEN_SERVICE: Docker registry
REGISTRY_AUTH_TOKEN_ISSUER: ACME
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /etc/letsencrypt/production/certs/example/fullchain.pem
stdin_open: true
volumes:
- registry-certs:/certs
- registry-data:/var/lib/registry
- letsencrypt_letsencrypt-data_77077:/etc/letsencrypt
tty: true
labels:
traefik.path.prefix: /v1,/v2
traefik.port: '5000'
traefik.enable: stack
traefik.domain: example.com
web:
image: hyper/docker-registry-web
environment:
REGISTRY_URL: http://registry:5000/v2
REGISTRY_NAME: registry.example.com
REGISTRY_AUTH_ENABLED: 'false'
REGISTRY_READONLY: 'false'
stdin_open: true
tty: true
labels:
traefik.port: '8080'
traefik.enable: stack
traefik.domain: example.com
io.rancher.container.pull_image: always
traefik.path: ' /{v:[^v].*},/'
auth:
image: cesanta/docker_auth:1
stdin_open: true
volumes:
- registry-config:/config
- letsencrypt_letsencrypt-data_77077:/etc/letsencrypt
- registry-ssl:/data
tty: true
labels:
traefik.path.prefix: /auth
traefik.port: '5001'
traefik.enable: stack
traefik.domain: example.com
io.rancher.container.pull_image: always
server:
addr: ":5001"
real_ip_header: "X-Forwarded-For"
letsencrypt:
# Email is required. It will be used to register with LetsEncrypt.
email: duck@kronkltd.net
# Cache directory, where certificates issued by LE will be stored. Must exist.
# It is recommended to make it a volume mount so it persists across restarts.
cache_dir: /data/sslcache
# Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to.
# With this option, you can limit it to a specific host name.
# host: "docker.example.org"
token:
issuer: "KRONK Ltd."
expiration: 900
certificate: "/etc/letsencrypt/production/certs/kronkltd/fullchain.pem"
key: "/etc/letsencrypt/production/certs/kronkltd/privkey.pem"
users:
"admin":
password: "$2y$05$sjoQyjQJetleN0ULy3N3remGk9w.OBVgWwczpBW9UUuGWF1jq0mkO"
"": {}
acl:
- match: {ip: "127.0.0.0/8"}
actions: ["*"]
comment: "Allow everything from localhost (IPv4)"
- match: {ip: "::1"}
actions: ["*"]
comment: "Allow everything from localhost (IPv6)"
- match: {ip: "172.17.0.1"}
actions: ["*"]
comment: "Allow everything from the local Docker bridge address"
- match: {account: "admin"}
actions: ["*"]
comment: "Admin has full access to everything."
- match: {account: "", type: "registry", name: "catalog"}
actions: ["*"]
comment: "Anonymous users can query the catalog."
- match: {account: ""}
actions: ["pull"]
comment: "Anonymous users can pull all images."