nixpkgs/nixos/modules/services/misc/docker-registry.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.dockerRegistry;

  blobCache = if cfg.enableRedisCache
    then "redis"
    else "inmemory";

  registryConfig = {
    version =  "0.1";
    log.fields.service = "registry";
    storage = {
      cache.blobdescriptor = blobCache;
      delete.enabled = cfg.enableDelete;
    } // (if cfg.storagePath != null
          then { filesystem.rootdirectory = cfg.storagePath; }
          else {});
    http = {
      addr = "${cfg.listenAddress}:${builtins.toString cfg.port}";
      headers.X-Content-Type-Options = ["nosniff"];
    };
    health.storagedriver = {
      enabled = true;
      interval = "10s";
      threshold = 3;
    };
  };

  registryConfig.redis = mkIf cfg.enableRedisCache {
    addr = "${cfg.redisUrl}";
    password = "${cfg.redisPassword}";
    db = 0;
    dialtimeout = "10ms";
    readtimeout = "10ms";
    writetimeout = "10ms";
    pool = {
      maxidle = 16;
      maxactive = 64;
      idletimeout = "300s";
    };
  };

  configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (recursiveUpdate registryConfig cfg.extraConfig));

in {
  options.services.dockerRegistry = {
    enable = mkEnableOption "Docker Registry";

    listenAddress = mkOption {
      description = "Docker registry host or ip to bind to.";
      default = "127.0.0.1";
      type = types.str;
    };

    port = mkOption {
      description = "Docker registry port to bind to.";
      default = 5000;
      type = types.int;
    };

    storagePath = mkOption {
      type = types.nullOr types.path;
      default = "/var/lib/docker-registry";
      description = ''
        Docker registry storage path for the filesystem storage backend. Set to
        null to configure another backend via extraConfig.
      '';
    };

    enableDelete = mkOption {
      type = types.bool;
      default = false;
      description = "Enable delete for manifests and blobs.";
    };

    enableRedisCache = mkEnableOption "redis as blob cache";

    redisUrl = mkOption {
      type = types.str;
      default = "localhost:6379";
      description = "Set redis host and port.";
    };

    redisPassword = mkOption {
      type = types.str;
      default = "";
      description = "Set redis password.";
    };

    extraConfig = mkOption {
      description = ''
        Docker extra registry configuration via environment variables.
      '';
      default = {};
      type = types.attrs;
    };

    enableGarbageCollect = mkEnableOption "garbage collect";

    garbageCollectDates = mkOption {
      default = "daily";
      type = types.str;
      description = ''
        Specification (in the format described by
        <citerefentry><refentrytitle>systemd.time</refentrytitle>
        <manvolnum>7</manvolnum></citerefentry>) of the time at
        which the garbage collect will occur.
      '';
    };
  };

  config = mkIf cfg.enable {
    systemd.services.docker-registry = {
      description = "Docker Container Registry";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      script = ''
        ${pkgs.docker-distribution}/bin/registry serve ${configFile}
      '';

      serviceConfig = {
        User = "docker-registry";
        WorkingDirectory = cfg.storagePath;
        AmbientCapabilities = mkIf (cfg.port < 1024) "cap_net_bind_service";
      };
    };

    systemd.services.docker-registry-garbage-collect = {
      description = "Run Garbage Collection for docker registry";

      restartIfChanged = false;
      unitConfig.X-StopOnRemoval = false;

      serviceConfig.Type = "oneshot";

      script = ''
        ${pkgs.docker-distribution}/bin/registry garbage-collect ${configFile}
        ${pkgs.systemd}/bin/systemctl restart docker-registry.service
      '';

      startAt = optional cfg.enableGarbageCollect cfg.garbageCollectDates;
    };

    users.users.docker-registry =
      (if cfg.storagePath != null
      then {
        createHome = true;
        home = cfg.storagePath;
      }
      else {}) // {
        isSystemUser = true;
      };
  };
}
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.services.dockerRegistry;`

docker-registry: Revert "[bot]: remove unreferenced code" This code was referenced. This reverts commit 87f5930c3fb2c852f5243278b7a9da8e117d95e4. cc @volth 2018-08-06 12:06:46 +02:00			`blobCache = if cfg.enableRedisCache`
			`then "redis"`
			`else "inmemory";`

			`registryConfig = {`
			`version = "0.1";`
			`log.fields.service = "registry";`
			`storage = {`
			`cache.blobdescriptor = blobCache;`
			`delete.enabled = cfg.enableDelete;`
nixos/docker-registry: Allow use of non-filesystem storage Previously this module precluded use of storage backends other than `filesystem`. It is now possible to configure another storage backend manually by setting `services.dockerRegistry.storagePath` to `null` and configuring the other backend via `extraConfig`. 2019-03-12 17:32:29 -04:00			`} // (if cfg.storagePath != null`
			`then { filesystem.rootdirectory = cfg.storagePath; }`
			`else {});`
docker-registry: Revert "[bot]: remove unreferenced code" This code was referenced. This reverts commit 87f5930c3fb2c852f5243278b7a9da8e117d95e4. cc @volth 2018-08-06 12:06:46 +02:00			`http = {`
nixos/docker-registry: fix listenAddress listenAddress config option was previously unused in config generation 2019-02-08 14:19:53 +02:00			`addr = "${cfg.listenAddress}:${builtins.toString cfg.port}";`
docker-registry: Revert "[bot]: remove unreferenced code" This code was referenced. This reverts commit 87f5930c3fb2c852f5243278b7a9da8e117d95e4. cc @volth 2018-08-06 12:06:46 +02:00			`headers.X-Content-Type-Options = ["nosniff"];`
			`};`
			`health.storagedriver = {`
			`enabled = true;`
			`interval = "10s";`
			`threshold = 3;`
			`};`
			`};`

			`registryConfig.redis = mkIf cfg.enableRedisCache {`
			`addr = "${cfg.redisUrl}";`
			`password = "${cfg.redisPassword}";`
			`db = 0;`
			`dialtimeout = "10ms";`
			`readtimeout = "10ms";`
			`writetimeout = "10ms";`
			`pool = {`
			`maxidle = 16;`
			`maxactive = 64;`
			`idletimeout = "300s";`
			`};`
			`};`

nixos/docker-registry: allow nested config options for example: services.dockerRegistry = { enable = true; extraConfig = { http = { host = "https://${config.networking.hostName}:5000"; tls = { certificate = "${registry-tls}/snakeoil.pem"; key = "${registry-tls}/snakeoil.key"; }; }; }; }; 2018-06-05 11:26:02 +02:00			`configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (recursiveUpdate registryConfig cfg.extraConfig));`
nixos/docker-registry: Add support for garbage collector to docker registry 2018-04-06 15:11:52 +02:00
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`in {`
			`options.services.dockerRegistry = {`
			`enable = mkEnableOption "Docker Registry";`

			`listenAddress = mkOption {`
			`description = "Docker registry host or ip to bind to.";`
			`default = "127.0.0.1";`
			`type = types.str;`
			`};`

			`port = mkOption {`
			`description = "Docker registry port to bind to.";`
			`default = 5000;`
			`type = types.int;`
			`};`

			`storagePath = mkOption {`
nixos/docker-registry: Allow use of non-filesystem storage Previously this module precluded use of storage backends other than `filesystem`. It is now possible to configure another storage backend manually by setting `services.dockerRegistry.storagePath` to `null` and configuring the other backend via `extraConfig`. 2019-03-12 17:32:29 -04:00			`type = types.nullOr types.path;`
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`default = "/var/lib/docker-registry";`
nixos/docker-registry: Allow use of non-filesystem storage Previously this module precluded use of storage backends other than `filesystem`. It is now possible to configure another storage backend manually by setting `services.dockerRegistry.storagePath` to `null` and configuring the other backend via `extraConfig`. 2019-03-12 17:32:29 -04:00			`description = ''`
			`Docker registry storage path for the filesystem storage backend. Set to`
			`null to configure another backend via extraConfig.`
			`'';`
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`};`

nixos/docker-registry: add more configuration options for docker-registry 2018-02-04 14:15:47 +01:00			`enableDelete = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Enable delete for manifests and blobs.";`
			`};`

nixos/docker-registry: Add support for garbage collector to docker registry 2018-04-06 15:11:52 +02:00			`enableRedisCache = mkEnableOption "redis as blob cache";`
nixos/docker-registry: add more configuration options for docker-registry 2018-02-04 14:15:47 +01:00
			`redisUrl = mkOption {`
			`type = types.str;`
			`default = "localhost:6379";`
			`description = "Set redis host and port.";`
			`};`

			`redisPassword = mkOption {`
			`type = types.str;`
nixos/docker-registry: cleanup module definition & enhance testcase The following changes have been applied: - the property `http.headers.X-Content-Type-Options` must a list of strings rather than a serialized list - instead of `/etc/docker/registry/config.yml` the configuration will be written with `pkgs.writeText` and the store path will be used to run the registry. This reduces the risk of possible impurities by relying on the Nix store only. - cleaned up the property paths to easy readability and reduce the verbosity. - enhanced the testcase to ensure that digests can be deleted as well - the `services.docker-registry.extraConfig` object will be merged with `registryConfig` /cc @ironpinguin 2018-03-26 13:54:01 +02:00			`default = "";`
nixos/docker-registry: add more configuration options for docker-registry 2018-02-04 14:15:47 +01:00			`description = "Set redis password.";`
			`};`

dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`extraConfig = mkOption {`
			`description = ''`
			`Docker extra registry configuration via environment variables.`
			`'';`
			`default = {};`
nixos/docker-registry: allow nested config options for example: services.dockerRegistry = { enable = true; extraConfig = { http = { host = "https://${config.networking.hostName}:5000"; tls = { certificate = "${registry-tls}/snakeoil.pem"; key = "${registry-tls}/snakeoil.key"; }; }; }; }; 2018-06-05 11:26:02 +02:00			`type = types.attrs;`
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`};`
nixos/docker-registry: Add support for garbage collector to docker registry 2018-04-06 15:11:52 +02:00
			`enableGarbageCollect = mkEnableOption "garbage collect";`

			`garbageCollectDates = mkOption {`
			`default = "daily";`
			`type = types.str;`
			`description = ''`
			`Specification (in the format described by`
			`<citerefentry><refentrytitle>systemd.time</refentrytitle>`
			`<manvolnum>7</manvolnum></citerefentry>) of the time at`
			`which the garbage collect will occur.`
			`'';`
			`};`
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`};`

			`config = mkIf cfg.enable {`
			`systemd.services.docker-registry = {`
			`description = "Docker Container Registry";`
			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network.target" ];`
nixos/docker-registry: Add support for garbage collector to docker registry 2018-04-06 15:11:52 +02:00			`script = ''`
nixos/docker-registry: cleanup module definition & enhance testcase The following changes have been applied: - the property `http.headers.X-Content-Type-Options` must a list of strings rather than a serialized list - instead of `/etc/docker/registry/config.yml` the configuration will be written with `pkgs.writeText` and the store path will be used to run the registry. This reduces the risk of possible impurities by relying on the Nix store only. - cleaned up the property paths to easy readability and reduce the verbosity. - enhanced the testcase to ensure that digests can be deleted as well - the `services.docker-registry.extraConfig` object will be merged with `registryConfig` /cc @ironpinguin 2018-03-26 13:54:01 +02:00			`${pkgs.docker-distribution}/bin/registry serve ${configFile}`
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`'';`

			`serviceConfig = {`
			`User = "docker-registry";`
			`WorkingDirectory = cfg.storagePath;`
nixos/docker-registry: allow running on ports < 1024 2018-06-05 11:27:03 +02:00			`AmbientCapabilities = mkIf (cfg.port < 1024) "cap_net_bind_service";`
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`};`
			`};`

nixos/docker-registry: Add support for garbage collector to docker registry 2018-04-06 15:11:52 +02:00			`systemd.services.docker-registry-garbage-collect = {`
			`description = "Run Garbage Collection for docker registry";`

			`restartIfChanged = false;`
			`unitConfig.X-StopOnRemoval = false;`

			`serviceConfig.Type = "oneshot";`

			`script = ''`
			`${pkgs.docker-distribution}/bin/registry garbage-collect ${configFile}`
			`${pkgs.systemd}/bin/systemctl restart docker-registry.service`
			`'';`

			`startAt = optional cfg.enableGarbageCollect cfg.garbageCollectDates;`
			`};`

nixos/docker-registry: Allow use of non-filesystem storage Previously this module precluded use of storage backends other than `filesystem`. It is now possible to configure another storage backend manually by setting `services.dockerRegistry.storagePath` to `null` and configuring the other backend via `extraConfig`. 2019-03-12 17:32:29 -04:00			`users.users.docker-registry =`
treewide: Switch to system users 2019-10-12 22:25:28 +02:00			`(if cfg.storagePath != null`
nixos/docker-registry: Allow use of non-filesystem storage Previously this module precluded use of storage backends other than `filesystem`. It is now possible to configure another storage backend manually by setting `services.dockerRegistry.storagePath` to `null` and configuring the other backend via `extraConfig`. 2019-03-12 17:32:29 -04:00			`then {`
			`createHome = true;`
			`home = cfg.storagePath;`
			`}`
treewide: Switch to system users 2019-10-12 22:25:28 +02:00			`else {}) // {`
			`isSystemUser = true;`
			`};`
dockerRegistry module: re-init with new underlying software 2016-09-18 20:57:01 +02:00			`};`
			`}`