diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-11 02:26:17 +0200 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-11 02:44:18 +0200 |
| commit | 04ef27409843d9cfc6d6a06a06632b937c547e8d (patch) | |
| tree | 6abc503d489068063fefba1d66d3efcada44c130 | |
| parent | Change dhcpd domain. (diff) | |
| download | profiles-04ef27409843d9cfc6d6a06a06632b937c547e8d.tar.gz profiles-04ef27409843d9cfc6d6a06a06632b937c547e8d.tar.xz | |
Add distribution registry.
| -rw-r--r-- | manifests/container_registry.pp | 48 | ||||
| -rw-r--r-- | manifests/distribution_registry.pp | 79 |
2 files changed, 127 insertions, 0 deletions
diff --git a/manifests/container_registry.pp b/manifests/container_registry.pp new file mode 100644 index 0000000..de1a268 --- /dev/null +++ b/manifests/container_registry.pp @@ -0,0 +1,48 @@ +# @summary Sets up a local container registry +# +# Note that this is more of a role. +class profiles::container_registry ( + String $server_name, + Enum['present', 'absent'] $ensure = 'present', +) { + include profiles::nginx + + $socket = '/run/distribution/distribution.sock' + class { 'profiles::distribution_registry': + http_addr => $socket, + http_net => 'unix', + } + + include ::profiles::certificate + letsencrypt::domain { $server_name: + cert_name => $profiles::certificate::cert_name, + } + + if $ensure == 'present' { + @@dns::record { "AAAA ${server_name}": + type => 'AAAA', + zone => "${facts['domain']}.", + key => $server_name.split('.')[0], + value => $facts['ipaddress6'], + } + } + + nginx::resource::server { $server_name: + ensure => $ensure, + ipv6_enable => true, + ipv6_listen_options => '', + use_default_location => false, + * => letsencrypt::conf::nginx($server_name), + } + + if $facts['letsencrypt_directory'][$server_name] { + nginx::resource::location { "${server_name} /": + location => '/', + proxy => "http://unix:${socket}", + index_files => [], + ssl => true, + ssl_only => true, + server => $server_name, + } + } +} diff --git a/manifests/distribution_registry.pp b/manifests/distribution_registry.pp new file mode 100644 index 0000000..dc7920c --- /dev/null +++ b/manifests/distribution_registry.pp @@ -0,0 +1,79 @@ +# @summary Manages the "distribution" container registry service +# +# https://github.com/distribution/distribution +# +# @param http_addr +# Address to listen to +# @param http_net +# If http_addr refers to an IP-address/port, or a unix socket +# @param registry_dir +# Container storage. +# @param htpasswd +# Location of htpasswd file +# TODO only have this if basic authentication is used. +# @param conf_file +# Path to configuration file. +# Does *not* move the configuration file, but is where the +# configuraion file is expected to be on the machine. +# @param ensure +# To allow decomissioning +class profiles::distribution_registry ( + String $http_addr, + Enum['tcp', 'unix'] $http_net = 'tcp', + String $registry_dir = '/var/lib/registry', + String $htpasswd = '/var/lib/distribution-registry/htpasswd', + String $conf_file = '/etc/distribution-registry/conf.yml', + Enum['present', 'absent'] $ensure = 'present', +) { + ensure_packages([ + 'distribution-registry', + ], { + 'ensure' => $ensure, + }) + + if $ensure == 'present' { + service { 'distribution-registry.service': + ensure => running, + } + + file { $conf_file: + content => to_yaml({ + 'version' => '0.1', + 'log' => { + 'fields' => { + 'service' => 'registry', + }, + }, + 'storage' => { + 'cache' => { + 'blobdescriptor' => 'inmemory', + }, + 'filesystem' => { + 'rootdirectory' => $registry_dir, + }, + }, + 'http' => { + 'addr' => $http_addr, + 'net' => $http_net, + }, + 'auth' => { + 'htpasswd' => { + 'realm' => 'basic-realm', + 'path' => $htpasswd, + }, + }, + 'health' => { + 'storagedriver' => { + 'enabled' => true, + 'interval' => '10s', + 'threshold' => 3, + }, + }, + }) + } + } else { + file { $conf_file: + ensure => absent, + } + } +} |