un-abra

.gitignore

@@ -0,0 +1 @@
+.env

README.md

@@ -1,16 +1,23 @@
 # distribution
 
-> https://github.com/docker/distribution
+Wiki Cafe's configuration for a [Distribution](https://github.com/docker/distribution) deployment with a [UI](https://joxit.dev/docker-registry-ui/). Originally from an `abra` [recipe](https://git.coopcloud.tech/coop-cloud/distribution) by [Co-op Cloud](https://coopcloud.tech/).
 
-> https://joxit.dev/docker-registry-ui/
+## Deploying the app with Docker Swarm
 
-<!-- metadata -->
-* **Category**: Utilities
-* **Status**: 0, work-in-progress
-* **Image**: [`registry`](https://hub.docker.com/_/registry/), 4, upstream
-* **Healthcheck**: ?
-* **Backups**: ?
-* **Email**: ?
-* **Tests**: ?
-* **SSO**: ?
-<!-- endmetadata -->
+Set the environment variables from the .env file during the shell session.
+
+```
+set -a && source .env && set +a
+```
+
+Set the secrets if any.
+
+```
+printf "SECRET_HERE" | docker secret create SECRET_NAME -
+```
+
+Deploy using the `-c` flag to specify one or multiple compose files.
+
+```
+docker stack deploy distribution -c compose.yaml
+```

compose.yaml

@@ -0,0 +1,72 @@
+services:
+  distribution:
+    image: "registry:2.8.3"
+    volumes:
+      - "registry:/var/lib/registry"
+    networks:
+      - proxy
+    secrets:
+      - auth_token_rootcertbundle
+    environment:
+      - UI_URL
+      - REGISTRY_AUTH_TOKEN_REALM
+      - REGISTRY_AUTH_TOKEN_SERVICE
+      - REGISTRY_AUTH_TOKEN_ISSUER
+      - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE
+    configs:
+      - source: config_yml
+        target: /etc/docker/registry/config.yml
+    deploy:
+      update_config:
+        failure_action: rollback
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=5000"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DISTRIBUTION_DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "caddy=${DISTRIBUTION_DOMAIN}"
+        - "caddy.reverse_proxy={{upstreams 5000}}"
+        - "caddy.tls.on_demand="
+        - "backupbot.backup=true"
+
+  ui:
+    image: "joxit/docker-registry-ui:main"
+    networks:
+      - proxy
+    environment:
+      - REGISTRY_TITLE
+      - REGISTRY_URL
+      - SINGLE_REGISTRY
+    depends_on:
+      - registry
+    deploy:
+      update_config:
+        failure_action: rollback
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${UI_DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "caddy=${UI_DOMAIN}"
+        - "caddy.reverse_proxy={{upstreams 80}}"
+        - "caddy.tls.on_demand="
+        - "backupbot.backup=true"
+
+networks:
+  proxy:
+    external: true
+
+configs:
+  config_yml:
+    file: config.yml.tmpl
+    template_driver: golang
+
+secrets:
+  auth_token_rootcertbundle:
+    external: true
+    name: ${STACK_NAME}_auth_token_rootcertbundle
+
+volumes:
+  registry:

compose.yml

@@ -1,53 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    image: "registry:2"
-    volumes:
-      - "registry:/var/lib/registry"
-    networks:
-      - proxy
-    configs:
-      - source: config_yml
-        target: /etc/docker/registry/config.yml
-    deploy:
-      update_config:
-        failure_action: rollback
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.registry.loadbalancer.server.port=5000"
-        - "traefik.http.routers.registry.rule=Host(`registry.swarm.autonomic.zone`)"
-        - "traefik.http.routers.registry.entrypoints=web-secure"
-        - "traefik.http.routers.registry.tls.certresolver=production"
-
-  ui:
-    image: "joxit/docker-registry-ui:static"
-    networks:
-      - proxy
-    environment:
-      - REGISTRY_TITLE=Autonomic Container Catalogue
-      - URL=https://registry.swarm.autonomic.zone
-    depends_on:
-      - registry
-    deploy:
-      update_config:
-        failure_action: rollback
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.registry-ui.loadbalancer.server.port=80"
-        - "traefik.http.routers.registry-ui.rule=Host(`catalogue.swarm.autonomic.zone`)"
-        - "traefik.http.routers.registry-ui.entrypoints=web-secure"
-        - "traefik.http.routers.registry-ui.tls.certresolver=production"
-
-networks:
-  proxy:
-    external: true
-
-configs:
-  config_yml:
-    file: config.yml.tmpl
-    template_driver: golang
-
-volumes:
-  registry:

config.yml.tmpl

@@ -9,9 +9,16 @@ http:
   addr: :5000
   headers:
     X-Content-Type-Options: [nosniff]
-    Access-Control-Allow-Origin: ["{{ env "domain" }}"]
+    Access-Control-Allow-Origin: ["{{ env "UI_URL" }}"]
     Access-Control-Allow-Methods: ["HEAD", "GET", "OPTIONS", "DELETE"]
     Access-Control-Allow-Headers: ["Authorization"]
     Access-Control-Max-Age: [1728000]
     Access-Control-Allow-Credentials: [true]
     Access-Control-Expose-Headers: ["Docker-Content-Digest"]
+
+auth:
+  token:
+    realm: {{ env "REGISTRY_AUTH_TOKEN_REALM" }}
+    service: {{ env "REGISTRY_AUTH_TOKEN_SERVICE" }}
+    issuer: {{ env "REGISTRY_AUTH_TOKEN_ISSUER" }}
+    rootcertbundle: {{ env "REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE" }}

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
-  ]
-}