refactor: update linuxserver/letsencrypt to linuxserver/swag | change…

… the way it previously generates/mounts cert | update healthcheck and container dependencies

README.md

@@ -0,0 +1,24 @@
+# Private Docker Registry with Let's Encrypt
+
+## Base image
+- [linuxserver/swag](https://hub.docker.com/r/linuxserver/swag)
+- [registry](https://hub.docker.com/_/registry)
+
+## How to use
+### Prerequisite
+#### Optional
+- create a separated volume for docker image data
+- mount volume to /docker-mnt directory
+
+### Setup directories and password
+# mkdir -p /docker-mnt/auth
+# mkdir -p /docker-mnt/data
+# docker run --entrypoint htpasswd httpd:2 -Bbn <username> <password> > /docker-mnt/auth/htpasswd
+
+### Run it
+# e.g. if you want to serve your private registry at registry.example.com
+# SUBDOMAIN=<registry> URL=<exmaple.com> PUBLIC_IP=<X.X.X.X> STAGING=true docker compose up -d 
+> See more details in the comments of `docker-compose.yaml`
+
+## Limitation
+- Only support single subdomain, which is usually enough

docker-compose.yaml

@@ -0,0 +1,93 @@
+## Optional
+# create a separated volume for docker image data
+# mount volume to /docker-mnt directory
+## Setup private docker registry
+# mkdir -p /docker-mnt/auth
+# mkdir -p /docker-mnt/data
+# docker run --entrypoint htpasswd httpd:2 -Bbn <username> <password> > /docker-mnt/auth/htpasswd
+
+# e.g. if you want to serve your private registry at registry.example.com
+# SUBDOMAIN=<registry> URL=<exmaple.com> PUBLIC_IP=<X.X.X.X> STAGING=true docker compose up -d  
+
+version: "2.1"
+services:
+  swag:
+    build:
+      context: ./nginx
+      args:
+        - SUBDOMAIN=${SUBDOMAIN}
+        - URL=${URL}
+    image: registry-nginx:v1.0
+    container_name: swag
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - URL=${URL}
+      - VALIDATION=http
+      - SUBDOMAINS=${SUBDOMAIN} #optional
+      #- CERTPROVIDER= #optional
+      #- DNSPLUGIN=cloudflare #optional
+      #- PROPAGATION= #optional
+      - [email protected] #optional
+      - ONLY_SUBDOMAINS=true #optional
+      #- EXTRA_DOMAINS= #optional
+      - STAGING=${STAGING} #optional
+    ports:
+      - 443:443
+      - 80:80 #optional
+    volumes:
+      - cert:/config/etc/letsencrypt:rw # swag would generate cert here
+    healthcheck:
+      test:
+        - CMD-SHELL
+        - bash
+        - -c
+        - |
+          cd /config/letsencrypt/live/${SUBDOMAIN}.${URL}/ &&
+          openssl verify -untrusted chain.pem cert.pem # STAGING=true would fail this check
+      interval: 5s
+      timeout: 60s
+      retries: 5
+    restart: unless-stopped
+    networks:
+      - main
+
+  registry:
+    restart: always
+    image: registry:2
+    container_name: registry
+    environment:
+      REGISTRY_AUTH: htpasswd
+      REGISTRY_AUTH_HTPASSWD_REALM: Registry
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
+      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
+      REGISTRY_HTTP_TLS_CERTIFICATE: /cert/live/${SUBDOMAIN}.${URL}/fullchain.pem
+      REGISTRY_HTTP_TLS_KEY: /cert/live/${SUBDOMAIN}.${URL}/privkey.pem
+      REGISTRY_VALIDATION_DISABLED: 'true'
+      URL: ${URL}
+      SUBDOMAINS: ${SUBDOMAIN}
+      PUBLIC_IP: ${PUBLIC_IP}
+    depends_on:
+      swag:
+        condition: service_healthy
+
+    volumes:
+      - /docker-mnt/auth:/auth
+      - /docker-mnt/data:/data
+      # mount swag generated cert and reference by
+      #  REGISTRY_HTTP_TLS_CERTIFICATE
+      #  REGISTRY_HTTP_TLS_KEY
+      - cert:/cert:ro
+    networks:
+      - main
+
+volumes:
+  cert:
+    name: registry-cert
+    driver: local
+
+networks:
+  main:

nginx/Dockerfile

@@ -1,15 +1,8 @@
-FROM linuxserver/letsencrypt
+FROM linuxserver/swag
 
 COPY ./app.conf /config/nginx/site-confs/app.conf
+ARG SUBDOMAIN
+ARG URL
+RUN sed -i "s|{{SUBDOMAINS}}|${SUBDOMAIN}|g" /config/nginx/site-confs/app.conf && \
+    sed -i "s|{{URL}}|${URL}|g" /config/nginx/site-confs/app.conf
 
-COPY ./entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
-
-# HEALTHCHECK       \
-#     --timeout=3s \ 
-#     --retries=20  \
-#     CMD           \
-#         curl --fail https://localhost:443 || exit 1
-#         # curl --fail -k https://localhost:443 || exit 1
-# curl --fail https://localhost:5000/v2/_catalog -H 'Authorization: Basic base64encoded' || exit 1