denisandroid/docker-compose.yml

## docker-compose.yml
version: "3.8"
networks:
  registry-network:

services:
  minio:
   image: minio/minio:RELEASE.2025-04-22T22-12-26Z
   container_name: minio
   restart: always
   ports:
     - "7000:7000"
     - "7001:7001"
   environment:
     MINIO_ROOT_USER: "<SECRET_MINIO_LOGIN>"
     MINIO_ROOT_PASSWORD: "<SECRET_MINIO_PASSWORD>"
   volumes:
     - /d/minio/storage:/data
   command: server /data --console-address ":7001" --address "0.0.0.0:7000"
   networks:
     - registry-network
   dns:
     - 127.0.0.1
     - 192.168.0.1

  registry:
   image: registry:3.0.0
   container_name: registry
   restart: always
   ports:
     - "5000:5000"
   volumes:
      - /d/registry/data:/var/lib/registry
      - /d/registry/auth:/auth:ro
      - /d/certs:/certs:ro
   environment:
     #REGISTRY_LOG_LEVEL: "debug"
     REGISTRY_LOG_FIELDS_SERVICE: "registry"
     REGISTRY_LOG_FIELDS_ENVIRONMENT: "development"
     REGISTRY_HTTP_HEADERS_X-Content-Type-Options: "[nosniff]"
     REGISTRY_HTTP_HEADERS_Access-Control-Max-Age: "[1728000]"
     REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: "['https://your_domain.ulin:4443']"
     REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: "['HEAD', 'GET', 'OPTIONS', 'DELETE']"
     REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: "[true]"
     REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: "['Authorization', 'Accept', 'Cache-Control']"
     REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: "['Docker-Content-Digest']"
     REGISTRY_HTTP_TLS_CERTIFICATE: /certs/public.crt
     REGISTRY_HTTP_TLS_KEY: /certs/private.key
     OTEL_TRACES_EXPORTER: "none"
     OTEL_SDK_DISABLED: "true"
     REGISTRY_AUTH: htpasswd
     REGISTRY_AUTH_HTPASSWD_REALM: Registry
     REGISTRY_AUTH_HTPASSWD_PATH: /auth/registry.password
     REGISTRY_STORAGE: "s3"
     REGISTRY_STORAGE_S3_SECURE: "false"
     REGISTRY_STORAGE_DELETE_ENABLED: "yes"
     REGISTRY_STORAGE_S3_DELETE_ENABLED: "yes"
     REGISTRY_STORAGE_S3_REGION: "us-east-1"
     REGISTRY_STORAGE_S3_REGIONENDPOINT: "http://your_domain.ulin:7000"
     REGISTRY_STORAGE_S3_ENCRYPT: "false"
     REGISTRY_STORAGE_S3_SKIPVERIFY: "false"
     REGISTRY_STORAGE_S3_BUCKET: "registry-bucket"
     REGISTRY_STORAGE_S3_ROOTDIRECTORY: "/"
     REGISTRY_STORAGE_S3_ACCESSKEY: "<SECRET_ACCESS_KEY>"
     REGISTRY_STORAGE_S3_SECRETKEY: "<SECRET_SECRET_KEY>"
     REGISTRY_STORAGE_S3_CHUNKSIZE: "104857600"
     REGISTRY_STORAGE_S3_FORCEPATHSTYLE: "true"
     REGISTRY_HTTP_HOST: "https://your_domain.ulin:5000"
     REGISTRY_STORAGE_REDIRECT_DISABLE: "true"
     REGISTRY_HEALTH_STORAGEDRIVER_ENABLED: "false"
   depends_on:
     - minio
   networks:
     - registry-network
   dns:
     - 127.0.0.1
     - 192.168.0.1

  registry-ui:
   image: joxit/docker-registry-ui:main-debian
   container_name: registry-ui
   restart: always
   networks:
     - registry-network
   volumes:
      - /d/certs:/etc/nginx/certs:ro
   environment:
     REGISTRY_TITLE: Docker Registry UI
     DELETE_IMAGES: "true"
     SHOW_CONTENT_DIGEST: "true"
     REGISTRY_URL: https://your_domain.ulin:5000
     SINGLE_REGISTRY: "true"
     REGISTRY_SSL: "true"
     REGISTRY_SECURED: "true"
     REGISTRY_USERNAME: "<SECRET_DOCKER_LOGIN>"
     REGISTRY_PASSWORD: "<SECRET_DOCKER_PASS>"
   depends_on:
     - registry
   dns:
     - 127.0.0.1
     - 192.168.0.1

  nginx:
    image: nginx:stable-bookworm-perl
    restart: always
    ports:
      - 4443:443
    networks:
     - registry-network
    volumes:
      - /d/registry/nginx.conf:/etc/nginx/nginx.conf:ro
      - /d/certs:/etc/nginx/certs:ro
    depends_on:
      - registry
      - registry-ui
    dns:
      - 127.0.0.1
      - 192.168.0.1

## nginx.conf
worker_processes auto;

events {
    worker_connections 1024;
}

http {
    upstream registry {
        server registry:5000;
    }

    server {
        listen 443 ssl;
        server_name your_domain.ulin;

        ssl_certificate /etc/nginx/certs/public.crt;
        ssl_certificate_key /etc/nginx/certs/private.key;

        location / {
            proxy_pass http://registry-ui:80;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /v2/ {
            proxy_pass http://registry;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_ssl_verify on;
            proxy_ssl_trusted_certificate /etc/nginx/certs/public.crt;
            proxy_ssl_session_reuse off;
        }
    }
}

## passwd_andcert.sh
# don't forget to generate a password
#
# Login docker
# Pass <Your_PASS>
mkdir -p /d/registry/auth
htpasswd -B -c /d/registry/auth/registry.password docker

# don't forget to generate a ssl certs
mkdir -p /d/certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /d/certs/private.key -x509 -days 365 -out /d/certs/public.crt
	version: "3.8"
	networks:
	registry-network:

	services:
	minio:
	image: minio/minio:RELEASE.2025-04-22T22-12-26Z
	container_name: minio
	restart: always
	ports:
	- "7000:7000"
	- "7001:7001"
	environment:
	MINIO_ROOT_USER: "<SECRET_MINIO_LOGIN>"
	MINIO_ROOT_PASSWORD: "<SECRET_MINIO_PASSWORD>"
	volumes:
	- /d/minio/storage:/data
	command: server /data --console-address ":7001" --address "0.0.0.0:7000"
	networks:
	- registry-network
	dns:
	- 127.0.0.1
	- 192.168.0.1

	registry:
	image: registry:3.0.0
	container_name: registry
	restart: always
	ports:
	- "5000:5000"
	volumes:
	- /d/registry/data:/var/lib/registry
	- /d/registry/auth:/auth:ro
	- /d/certs:/certs:ro
	environment:
	#REGISTRY_LOG_LEVEL: "debug"
	REGISTRY_LOG_FIELDS_SERVICE: "registry"
	REGISTRY_LOG_FIELDS_ENVIRONMENT: "development"
	REGISTRY_HTTP_HEADERS_X-Content-Type-Options: "[nosniff]"
	REGISTRY_HTTP_HEADERS_Access-Control-Max-Age: "[1728000]"
	REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: "['https://your_domain.ulin:4443']"
	REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: "['HEAD', 'GET', 'OPTIONS', 'DELETE']"
	REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: "[true]"
	REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: "['Authorization', 'Accept', 'Cache-Control']"
	REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: "['Docker-Content-Digest']"
	REGISTRY_HTTP_TLS_CERTIFICATE: /certs/public.crt
	REGISTRY_HTTP_TLS_KEY: /certs/private.key
	OTEL_TRACES_EXPORTER: "none"
	OTEL_SDK_DISABLED: "true"
	REGISTRY_AUTH: htpasswd
	REGISTRY_AUTH_HTPASSWD_REALM: Registry
	REGISTRY_AUTH_HTPASSWD_PATH: /auth/registry.password
	REGISTRY_STORAGE: "s3"
	REGISTRY_STORAGE_S3_SECURE: "false"
	REGISTRY_STORAGE_DELETE_ENABLED: "yes"
	REGISTRY_STORAGE_S3_DELETE_ENABLED: "yes"
	REGISTRY_STORAGE_S3_REGION: "us-east-1"
	REGISTRY_STORAGE_S3_REGIONENDPOINT: "http://your_domain.ulin:7000"
	REGISTRY_STORAGE_S3_ENCRYPT: "false"
	REGISTRY_STORAGE_S3_SKIPVERIFY: "false"
	REGISTRY_STORAGE_S3_BUCKET: "registry-bucket"
	REGISTRY_STORAGE_S3_ROOTDIRECTORY: "/"
	REGISTRY_STORAGE_S3_ACCESSKEY: "<SECRET_ACCESS_KEY>"
	REGISTRY_STORAGE_S3_SECRETKEY: "<SECRET_SECRET_KEY>"
	REGISTRY_STORAGE_S3_CHUNKSIZE: "104857600"
	REGISTRY_STORAGE_S3_FORCEPATHSTYLE: "true"
	REGISTRY_HTTP_HOST: "https://your_domain.ulin:5000"
	REGISTRY_STORAGE_REDIRECT_DISABLE: "true"
	REGISTRY_HEALTH_STORAGEDRIVER_ENABLED: "false"
	depends_on:
	- minio
	networks:
	- registry-network
	dns:
	- 127.0.0.1
	- 192.168.0.1

	registry-ui:
	image: joxit/docker-registry-ui:main-debian
	container_name: registry-ui
	restart: always
	networks:
	- registry-network
	volumes:
	- /d/certs:/etc/nginx/certs:ro
	environment:
	REGISTRY_TITLE: Docker Registry UI
	DELETE_IMAGES: "true"
	SHOW_CONTENT_DIGEST: "true"
	REGISTRY_URL: https://your_domain.ulin:5000
	SINGLE_REGISTRY: "true"
	REGISTRY_SSL: "true"
	REGISTRY_SECURED: "true"
	REGISTRY_USERNAME: "<SECRET_DOCKER_LOGIN>"
	REGISTRY_PASSWORD: "<SECRET_DOCKER_PASS>"
	depends_on:
	- registry
	dns:
	- 127.0.0.1
	- 192.168.0.1

	nginx:
	image: nginx:stable-bookworm-perl
	restart: always
	ports:
	- 4443:443
	networks:
	- registry-network
	volumes:
	- /d/registry/nginx.conf:/etc/nginx/nginx.conf:ro
	- /d/certs:/etc/nginx/certs:ro
	depends_on:
	- registry
	- registry-ui
	dns:
	- 127.0.0.1
	- 192.168.0.1
	worker_processes auto;

	events {
	worker_connections 1024;
	}

	http {
	upstream registry {
	server registry:5000;
	}

	server {
	listen 443 ssl;
	server_name your_domain.ulin;

	ssl_certificate /etc/nginx/certs/public.crt;
	ssl_certificate_key /etc/nginx/certs/private.key;

	location / {
	proxy_pass http://registry-ui:80;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	}

	location /v2/ {
	proxy_pass http://registry;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	proxy_ssl_verify on;
	proxy_ssl_trusted_certificate /etc/nginx/certs/public.crt;
	proxy_ssl_session_reuse off;
	}
	}
	}
	# don't forget to generate a password
	#
	# Login docker
	# Pass <Your_PASS>
	mkdir -p /d/registry/auth
	htpasswd -B -c /d/registry/auth/registry.password docker

	# don't forget to generate a ssl certs
	mkdir -p /d/certs
	openssl req -newkey rsa:4096 -nodes -sha256 -keyout /d/certs/private.key -x509 -days 365 -out /d/certs/public.crt