services:
  distribution:
    image: "registry:2.8.3"
    volumes:
      - "registry:/var/lib/registry"
    networks:
      - proxy
    secrets:
      - auth_token_rootcertbundle
    environment:
      - UI_URL
      - REGISTRY_AUTH_TOKEN_REALM
      - REGISTRY_AUTH_TOKEN_SERVICE
      - REGISTRY_AUTH_TOKEN_ISSUER
      - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE
    configs:
      - source: config_yml
        target: /etc/docker/registry/config.yml
    deploy:
      update_config:
        failure_action: rollback
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=5000"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DISTRIBUTION_DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "caddy=${DISTRIBUTION_DOMAIN}"
        - "caddy.reverse_proxy={{upstreams 5000}}"
        - "caddy.tls.on_demand="
        - "backupbot.backup=true"

  ui:
    image: "joxit/docker-registry-ui:main"
    networks:
      - proxy
    environment:
      - REGISTRY_TITLE
      - REGISTRY_URL
      - SINGLE_REGISTRY
    depends_on:
      - registry
    deploy:
      update_config:
        failure_action: rollback
      labels:
        - "traefik.enable=true"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${UI_DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "caddy=${UI_DOMAIN}"
        - "caddy.reverse_proxy={{upstreams 80}}"
        - "caddy.tls.on_demand="
        - "backupbot.backup=true"

networks:
  proxy:
    external: true

configs:
  config_yml:
    file: config.yml.tmpl
    template_driver: golang

secrets:
  auth_token_rootcertbundle:
    external: true
    name: ${STACK_NAME}_auth_token_rootcertbundle

volumes:
  registry: