---
services:
  registry:
    container_name: registry
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.registry.rule=Host(`registry.tobiasmanske.de`)"
      - "traefik.http.routers.registry.entryPoints=websecure"
      - "traefik.http.services.registry.loadbalancer.server.port=5000"
    image: 'registry:2'
    networks:
      - backend
    volumes:
      - registry_data:/var/lib/registry
      - ./config.yaml:/etc/docker/registry/config.yml:ro,z
      - ./server.pem:/server.pem:ro,Z

  auth:
    restart: always
    image: 'cesanta/docker_auth:1'
    command:
      - '--logtostderr'
      - '/config/auth_config.yaml'
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.registry-auth.rule=Host(`registry-auth.tobiasmanske.de`)"
      - "traefik.http.routers.registry-auth.entryPoints=websecure"
      - "traefik.http.services.registry-auth.loadbalancer.server.port=5001"
      - "traefik.http.middlewares.registry-auth-headers.headers.accesscontrolalloworiginlist=https://registry-ui.tobiasmanske.de"
      - "traefik.http.middlewares.registry-auth-headers.headers.accesscontrolallowheaders=Authorization,Accept,Cache-Control"
      - "traefik.http.middlewares.registry-auth-headers.headers.accesscontrolallowmethods=HEAD,GET,OPTIONS,DELETE"
      - "traefik.http.routers.registry-auth.middlewares=registry-auth-headers"
    networks:
      - backend
    volumes:
      - ./auth_config.yaml:/config/auth_config.yaml:ro,Z
      - ./server.pem:/server.pem:ro,Z
      - ./server.key:/server.key:ro,Z

volumes:
  registry_data:

networks:
  backend:
    internal: true
...