From 04ef27409843d9cfc6d6a06a06632b937c547e8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Sun, 11 Jun 2023 02:26:17 +0200 Subject: Add distribution registry. --- manifests/container_registry.pp | 48 +++++++++++++++++++++++ manifests/distribution_registry.pp | 79 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 manifests/container_registry.pp create mode 100644 manifests/distribution_registry.pp (limited to 'manifests') diff --git a/manifests/container_registry.pp b/manifests/container_registry.pp new file mode 100644 index 0000000..de1a268 --- /dev/null +++ b/manifests/container_registry.pp @@ -0,0 +1,48 @@ +# @summary Sets up a local container registry +# +# Note that this is more of a role. +class profiles::container_registry ( + String $server_name, + Enum['present', 'absent'] $ensure = 'present', +) { + include profiles::nginx + + $socket = '/run/distribution/distribution.sock' + class { 'profiles::distribution_registry': + http_addr => $socket, + http_net => 'unix', + } + + include ::profiles::certificate + letsencrypt::domain { $server_name: + cert_name => $profiles::certificate::cert_name, + } + + if $ensure == 'present' { + @@dns::record { "AAAA ${server_name}": + type => 'AAAA', + zone => "${facts['domain']}.", + key => $server_name.split('.')[0], + value => $facts['ipaddress6'], + } + } + + nginx::resource::server { $server_name: + ensure => $ensure, + ipv6_enable => true, + ipv6_listen_options => '', + use_default_location => false, + * => letsencrypt::conf::nginx($server_name), + } + + if $facts['letsencrypt_directory'][$server_name] { + nginx::resource::location { "${server_name} /": + location => '/', + proxy => "http://unix:${socket}", + index_files => [], + ssl => true, + ssl_only => true, + server => $server_name, + } + } +} diff --git a/manifests/distribution_registry.pp b/manifests/distribution_registry.pp new file mode 100644 index 0000000..dc7920c --- /dev/null +++ b/manifests/distribution_registry.pp @@ -0,0 +1,79 @@ +# @summary Manages the "distribution" container registry service +# +# https://github.com/distribution/distribution +# +# @param http_addr +# Address to listen to +# @param http_net +# If http_addr refers to an IP-address/port, or a unix socket +# @param registry_dir +# Container storage. +# @param htpasswd +# Location of htpasswd file +# TODO only have this if basic authentication is used. +# @param conf_file +# Path to configuration file. +# Does *not* move the configuration file, but is where the +# configuraion file is expected to be on the machine. +# @param ensure +# To allow decomissioning +class profiles::distribution_registry ( + String $http_addr, + Enum['tcp', 'unix'] $http_net = 'tcp', + String $registry_dir = '/var/lib/registry', + String $htpasswd = '/var/lib/distribution-registry/htpasswd', + String $conf_file = '/etc/distribution-registry/conf.yml', + Enum['present', 'absent'] $ensure = 'present', +) { + ensure_packages([ + 'distribution-registry', + ], { + 'ensure' => $ensure, + }) + + if $ensure == 'present' { + service { 'distribution-registry.service': + ensure => running, + } + + file { $conf_file: + content => to_yaml({ + 'version' => '0.1', + 'log' => { + 'fields' => { + 'service' => 'registry', + }, + }, + 'storage' => { + 'cache' => { + 'blobdescriptor' => 'inmemory', + }, + 'filesystem' => { + 'rootdirectory' => $registry_dir, + }, + }, + 'http' => { + 'addr' => $http_addr, + 'net' => $http_net, + }, + 'auth' => { + 'htpasswd' => { + 'realm' => 'basic-realm', + 'path' => $htpasswd, + }, + }, + 'health' => { + 'storagedriver' => { + 'enabled' => true, + 'interval' => '10s', + 'threshold' => 3, + }, + }, + }) + } + } else { + file { $conf_file: + ensure => absent, + } + } +} -- cgit v1.2.3