commit 70184dd85d76eb8a1d573c8b083c13f9de45181d
Author: phil <phil.dev@philome.mooo.com>
Date:   Sat Nov 2 04:05:28 2024 +0100

    Initial commit

diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000..58c872a
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,8 @@
+FROM docker.io/library/registry:latest
+ENV REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED true
+ENV REGISTRY_AUTH htpasswd
+ENV REGISTRY_AUTH_HTPASSWD_REALM "Registry Realm"
+ENV REGISTRY_AUTH_HTPASSWD_PATH /auth/htpasswd
+ENV REGISTRY_HTTP_TLS_CERTIFICATE /certs/domain.crt
+ENV REGISTRY_HTTP_TLS_KEY /certs/domain.key
+EXPOSE 5000
diff --git a/README b/README
new file mode 100644
index 0000000..369fe75
--- /dev/null
+++ b/README
@@ -0,0 +1,29 @@
+Create a private registry for containers
+
+Ref: https://www.redhat.com/sysadmin/simple-container-registry
+
+Just run: ansible-playbook container_registry.yaml
+
+~~~
+
+Make sure the local CA (domain.crt) is accepted on all the machines that will commit the images AND on all the target systems (the machines where the images will be deployed).
+
+Manually, for Debian:
+HOST=k3s
+REGISTRY=tiptop:5000
+ssh root@$HOST mkdir -p /etc/containers/certs.d/$REGISTRY
+scp certs/domain.crt root@$HOST:/etc/containers/certs.d/$REGISTRY/
+
+~~~
+
+Next, add the credential to the kubernetes cluster:
+kubectl create secret docker-registry regcred --docker-server=tiptop:5000 --docker-username=admin --docker-password=admin -n default
+
+~~~
+
+To push to the registry:
+podman push <image name> docker://<host name>:5000/<image name>
+
+~~~
+
+To use it in Kubernetes, see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
diff --git a/auth/.gitignore b/auth/.gitignore
new file mode 100644
index 0000000..205388f
--- /dev/null
+++ b/auth/.gitignore
@@ -0,0 +1 @@
+htpassword
diff --git a/auth/htpasswd b/auth/htpasswd
new file mode 100644
index 0000000..2670e31
--- /dev/null
+++ b/auth/htpasswd
@@ -0,0 +1 @@
+admin:$2b$12$0j.FEghiSM1km9LHgetFAusfni9QPR7KibzKEbaukFUba/Z8zwWHK
diff --git a/certs/.gitignore b/certs/.gitignore
new file mode 100644
index 0000000..be870b4
--- /dev/null
+++ b/certs/.gitignore
@@ -0,0 +1,2 @@
+*.crt
+*.key
diff --git a/container_registry.yaml b/container_registry.yaml
new file mode 100644
index 0000000..d1c9c4e
--- /dev/null
+++ b/container_registry.yaml
@@ -0,0 +1,88 @@
+- name: Run registry container
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Creates directory for certs
+      ansible.builtin.file:
+        path: "{{playbook_dir}}/certs"
+        state: directory
+
+    - name: Creates directory for data, will be mounted on the container and used for the registry store
+      ansible.builtin.file:
+        path: "{{playbook_dir}}/data"
+        state: directory
+
+    - name: Creates directory for auth (htpasswd)
+      ansible.builtin.file:
+        path: "{{playbook_dir}}/auth"
+        state: directory
+
+    - name: Create auth file
+      community.general.htpasswd:
+        path: "{{playbook_dir}}/auth/htpasswd"
+        name: admin
+        password: admin
+        hash_scheme: bcrypt
+
+    - name: Create private key (RSA, 4096 bits)
+      community.crypto.openssl_privatekey:
+        path: "{{playbook_dir}}/certs/domain.key"
+
+    - name: Create certificate signing request (CSR) for self-signed certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: "{{playbook_dir}}/certs/domain.key"
+        common_name: tiptop
+        organization_name: MyOwnVerySelf
+        subject_alt_name:
+          - "DNS:tiptop"
+      register: ca_csr
+
+    - name: Create self-signed certificate from CSR
+      community.crypto.x509_certificate:
+        path: "{{playbook_dir}}/certs/domain.crt"
+        csr_content: "{{ ca_csr.csr }}"
+        privatekey_path: "{{playbook_dir}}/certs/domain.key"
+        provider: selfsigned
+
+    - name: Build container
+      containers.podman.podman_image:
+        name: myregistry
+        state: build
+        build:
+          format: oci
+          container_file: |-
+            FROM docker.io/library/registry:latest
+            ENV REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED true
+            ENV REGISTRY_AUTH htpasswd
+            ENV REGISTRY_AUTH_HTPASSWD_REALM "Registry Realm"
+            ENV REGISTRY_AUTH_HTPASSWD_PATH /auth/htpasswd
+            ENV REGISTRY_HTTP_TLS_CERTIFICATE /certs/domain.crt
+            ENV REGISTRY_HTTP_TLS_KEY /certs/domain.key
+            EXPOSE 5000
+
+    - name: Install quadlet
+      containers.podman.podman_container:
+        name: myregistry
+        state: quadlet
+        image: localhost/myregistry:latest
+        volumes:
+          - "{{playbook_dir}}/certs:/certs:z"
+          - "{{playbook_dir}}/data:/var/lib/registry:z"
+          - "{{playbook_dir}}/auth:/auth:z"
+        ports:
+          - 5000:5000
+        quadlet_options:
+          - |
+            [Install]
+            WantedBy=default.target
+
+    - name: Reload systemd
+      ansible.builtin.systemd_service:
+        daemon_reload: true
+        scope: user
+
+    - name: Start container
+      ansible.builtin.systemd_service:
+        scope: user
+        name: myregistry.service
+        state: started
diff --git a/data/.gitignore b/data/.gitignore
new file mode 100644
index 0000000..355164c
--- /dev/null
+++ b/data/.gitignore
@@ -0,0 +1 @@
+*/
diff --git a/secret.yaml b/secret.yaml
new file mode 100644
index 0000000..6d77782
--- /dev/null
+++ b/secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1    
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: image-pull-secret
+data:
+  .dockerconfigjson:
+    {{ "{"my-passwordauths": {"tiptop:5000": {"username": "admin", "password": "admin"}}}" | b64enc }}