Last active
October 14, 2017 05:25
-
-
Save duck1123/884d2b8a3f9369e9469e281d57a28244 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server: | |
addr: ":5001" | |
real_ip_header: "X-Forwarded-For" | |
letsencrypt: | |
# Email is required. It will be used to register with LetsEncrypt. | |
email: duck@kronkltd.net | |
# Cache directory, where certificates issued by LE will be stored. Must exist. | |
# It is recommended to make it a volume mount so it persists across restarts. | |
cache_dir: /data/sslcache | |
# Normally LetsEncrypt will obtain a certificate for whichever host the client is connecting to. | |
# With this option, you can limit it to a specific host name. | |
# host: "docker.example.org" | |
token: | |
issuer: "KRONK Ltd." | |
expiration: 900 | |
certificate: "/etc/letsencrypt/production/certs/kronkltd/fullchain.pem" | |
key: "/etc/letsencrypt/production/certs/kronkltd/privkey.pem" | |
users: | |
"admin": | |
password: "$2y$05$sjoQyjQJetleN0ULy3N3remGk9w.OBVgWwczpBW9UUuGWF1jq0mkO" | |
"": {} | |
acl: | |
- match: {ip: "127.0.0.0/8"} | |
actions: ["*"] | |
comment: "Allow everything from localhost (IPv4)" | |
- match: {ip: "::1"} | |
actions: ["*"] | |
comment: "Allow everything from localhost (IPv6)" | |
- match: {ip: "172.17.0.1"} | |
actions: ["*"] | |
comment: "Allow everything from the local Docker bridge address" | |
- match: {account: "admin"} | |
actions: ["*"] | |
comment: "Admin has full access to everything." | |
- match: {account: "", type: "registry", name: "catalog"} | |
actions: ["*"] | |
comment: "Anonymous users can query the catalog." | |
- match: {account: ""} | |
actions: ["pull"] | |
comment: "Anonymous users can pull all images." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: '2' | |
volumes: | |
registry-data: | |
external: true | |
driver: rancher-nfs | |
registry-ssl: | |
external: true | |
driver: rancher-nfs | |
registry-certs: | |
external: true | |
driver: rancher-nfs | |
letsencrypt_letsencrypt-data_77077: | |
external: true | |
driver: rancher-nfs | |
registry-config: | |
external: true | |
driver: rancher-nfs | |
services: | |
registry: | |
image: registry:2.6 | |
environment: | |
REGISTRY_HTTP_HOST: https://registry.example.com | |
REGISTRY_HTTP_SECRET: httpsecret | |
REGISTRY_LOG_LEVEL: debug | |
REGISTRY_STORAGE_DELETE_ENABLED: 'true' | |
REGISTRY_AUTH_TOKEN_REALM: https://registry.example.com/auth | |
REGISTRY_AUTH_TOKEN_SERVICE: Docker registry | |
REGISTRY_AUTH_TOKEN_ISSUER: ACME | |
REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /etc/letsencrypt/production/certs/example/fullchain.pem | |
stdin_open: true | |
volumes: | |
- registry-certs:/certs | |
- registry-data:/var/lib/registry | |
- letsencrypt_letsencrypt-data_77077:/etc/letsencrypt | |
tty: true | |
labels: | |
traefik.path.prefix: /v1,/v2 | |
traefik.port: '5000' | |
traefik.enable: stack | |
traefik.domain: example.com | |
web: | |
image: hyper/docker-registry-web | |
environment: | |
REGISTRY_URL: http://registry:5000/v2 | |
REGISTRY_NAME: registry.example.com | |
REGISTRY_AUTH_ENABLED: 'false' | |
REGISTRY_READONLY: 'false' | |
stdin_open: true | |
tty: true | |
labels: | |
traefik.port: '8080' | |
traefik.enable: stack | |
traefik.domain: example.com | |
io.rancher.container.pull_image: always | |
traefik.path: ' /{v:[^v].*},/' | |
auth: | |
image: cesanta/docker_auth:1 | |
stdin_open: true | |
volumes: | |
- registry-config:/config | |
- letsencrypt_letsencrypt-data_77077:/etc/letsencrypt | |
- registry-ssl:/data | |
tty: true | |
labels: | |
traefik.path.prefix: /auth | |
traefik.port: '5001' | |
traefik.enable: stack | |
traefik.domain: example.com | |
io.rancher.container.pull_image: always |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment