Add Docker Registry service

docs/services/docker-registry.md

@@ -0,0 +1,86 @@
+# Docker Registry
+
+[Docker Registry](https://docs.docker.com/registry/) is a container image distribution registry developed by [Docker Inc](https://www.docker.com/).
+
+This playbook supports installing a container image registry which is:
+
+- completely public, when it comes to pulling images
+- IP-restricted, when it comes to pushing images
+
+Authentication is not supported.
+
+
+## Dependencies
+
+This service requires the following other services:
+
+- a [Traefik](traefik.md) reverse-proxy server
+
+
+## Configuration
+
+To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
+
+```yaml
+########################################################################
+#                                                                      #
+# docker-registry                                                      #
+#                                                                      #
+########################################################################
+
+docker_registry_enabled: true
+
+docker_registry_hostname: registry.example.com
+
+# Uncomment the line below if you'd like to allow for image deletion.
+# docker_registry_storage_delete_enabled: true
+
+# Only whitelisted IPs will be able to perform DELETE, PATCH, POST, PUT requests against the registry.
+# All other IP addresses get read-only (GET, HEAD) access.
+docker_registry_private_services_whitelisted_ip_ranges:
+  - 1.2.3.4/32
+  - 4.3.2.1/32
+
+########################################################################
+#                                                                      #
+# /docker-registry                                                     #
+#                                                                      #
+########################################################################
+```
+
+In the example configuration above, we configure the service to be hosted at `https://registry.example.com`.
+
+
+## Usage
+
+After installation, you should be able to:
+
+- pull images from your registry from any IP address
+- push images to your registry from the whitelisted IP addresses (`docker_registry_private_services_whitelisted_ip_ranges`)
+
+With custom Traefik configuration (hint: see `docker_registry_container_labels_traefik_rule_*` variables in the [docker_registry role]()), you may be able to add additional restrictions.
+
+To **test pushing** images, try the following:
+
+```sh
+docker pull docker.io/alpine:3.17.2
+docker tag docker.io/alpine:3.17.2 registry.example.com/alpine:3.17.2
+docker push registry.example.com/alpine:3.17.2
+```
+
+To **test pulling** images, try the following:
+
+```sh
+# Clean up from before
+docker rmi registry.example.com/alpine:3.17.2
+
+docker pull registry.example.com/alpine:3.17.2
+```
+
+The base URL (e.g. `https://registry.example.com`) serves an empty (blank) page. To browse your registry's images, you may need another piece of software, like [klausmeyer/docker-registry-browser](https://github.com/klausmeyer/docker-registry-browser/tree/master) which is not yet supported by this playbook, but will be supported soon.
+
+
+## Recommended other services
+
+- Docker Registry Browser - support coming to this playbook soon
+- Docker Registry Purger - support coming to this playbook soon

docs/supported-services.md

@@ -4,6 +4,7 @@
 | ------------------------------ | ------------------------------------- | ------------- |
 | [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) |
 | [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) |
+| [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) |
 | [Gitea](https://gitea.io/) | A painless self-hosted Git service. | [Link](services/gitea.md) |
 | [Miniflux](https://miniflux.app/) | Minimalist and opinionated feed reader. | [Link](services/miniflux.md) |
 | [Nextcloud](https://nextcloud.com/) | The most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe. | [Link](services/nextcloud.md) |

group_vars/mash_servers

@@ -29,8 +29,6 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'postgres']}] if devture_postgres_enabled else [])
     +
-    ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else [])
-    +
     ([{'name': (devture_postgres_backup_identifier + '.service'), 'priority': 5000, 'groups': ['mash', 'backup', 'postgres-backup']}] if devture_postgres_backup_enabled else [])
     +
     ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['mash', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else [])
@@ -41,6 +39,10 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': (devture_woodpecker_ci_agent_identifier + '.service'), 'priority': 4100, 'groups': ['mash', 'woodpecker', 'ci', 'woodpecker-ci-agent']}] if devture_woodpecker_ci_agent_enabled else [])
     +
+    ([{'name': (docker_registry_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'docker-registry']}] if docker_registry_enabled else [])
+    +
+    ([{'name': (docker_registry_identifier + '-garbage-collect.timer'), 'priority': 2500, 'groups': ['mash', 'docker-registry', 'gc']}] if docker_registry_enabled else [])
+    +
     ([{'name': (gitea_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'gitea', 'gitea-server']}] if gitea_enabled else [])
     +
     ([{'name': (nextcloud_identifier + '-server.service'), 'priority': 2000, 'groups': ['mash', 'nextcloud', 'nextcloud-server']}] if nextcloud_enabled else [])
@@ -51,6 +53,8 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': (peertube_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'peertube']}] if peertube_enabled else [])
     +
+    ([{'name': (prometheus_node_exporter_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'metrics', 'prometheus-node-exporter']}] if prometheus_node_exporter_enabled else [])
+    +
     ([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else [])
     +
     ([{'name': (redmine_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'redmine']}] if redmine_enabled else [])
@@ -343,6 +347,39 @@ collabora_online_container_labels_traefik_tls_certResolver: "{{ devture_traefik_
 
 
 
+########################################################################
+#                                                                      #
+# docker-registry                                                      #
+#                                                                      #
+########################################################################
+
+docker_registry_enabled: false
+
+docker_registry_identifier: "{{ mash_playbook_service_identifier_prefix }}docker-registry"
+
+docker_registry_base_path: "{{ mash_playbook_base_path }}/docker-registry"
+
+docker_registry_uid: "{{ mash_playbook_uid }}"
+docker_registry_gid: "{{ mash_playbook_gid }}"
+
+docker_registry_container_additional_networks: |
+  {{
+    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+  }}
+
+docker_registry_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
+docker_registry_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
+docker_registry_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+docker_registry_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+########################################################################
+#                                                                      #
+# /docker-registry                                                     #
+#                                                                      #
+########################################################################
+
+
+
 ########################################################################
 #                                                                      #
 # gitea                                                                #

requirements.yml

@@ -63,9 +63,13 @@
 - src: git+https://gitlab.com/etke.cc/roles/redmine.git
   version: v5.0.5-0
 
-- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
-  name: vaultwarden
-  version: v1.27.0-2
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git
+  name: collabora_online
+  version: v22.05.12.1.1-0
+
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-docker-registry.git
+  name: docker_registry
+  version: v2.8.1-0
 
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-gitea.git
   name: gitea
@@ -75,10 +79,10 @@
   name: nextcloud
   version: v25.0.4-1
 
-- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-collabora-online.git
-  name: collabora_online
-  version: v22.05.12.1.1-0
-
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-peertube.git
   name: peertube
   version: v5.0.1-0
+
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
+  name: vaultwarden
+  version: v1.27.0-2

setup.yml

@@ -50,6 +50,8 @@
 
     - role: galaxy/collabora_online
 
+    - role: galaxy/docker_registry
+
     - role: galaxy/gitea
 
     - role: galaxy/miniflux