diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2018-03-26 13:54:01 +0200 |
---|---|---|
committer | Maximilian Bosch <maximilian@mbosch.me> | 2018-05-01 15:23:39 +0200 |
commit | 593dc4514192354491473ba00e1b9104f456c50c (patch) | |
tree | fda34958f5130dce880cb558397a02c9241f8b8e /nixos/modules/services/misc/docker-registry.nix | |
parent | f5c0b3f887a90c0dee1467d6e3ac151d4a2e9649 (diff) | |
download | nixlib-593dc4514192354491473ba00e1b9104f456c50c.tar nixlib-593dc4514192354491473ba00e1b9104f456c50c.tar.gz nixlib-593dc4514192354491473ba00e1b9104f456c50c.tar.bz2 nixlib-593dc4514192354491473ba00e1b9104f456c50c.tar.lz nixlib-593dc4514192354491473ba00e1b9104f456c50c.tar.xz nixlib-593dc4514192354491473ba00e1b9104f456c50c.tar.zst nixlib-593dc4514192354491473ba00e1b9104f456c50c.zip |
nixos/docker-registry: cleanup module definition & enhance testcase
The following changes have been applied: - the property `http.headers.X-Content-Type-Options` must a list of strings rather than a serialized list - instead of `/etc/docker/registry/config.yml` the configuration will be written with `pkgs.writeText` and the store path will be used to run the registry. This reduces the risk of possible impurities by relying on the Nix store only. - cleaned up the property paths to easy readability and reduce the verbosity. - enhanced the testcase to ensure that digests can be deleted as well - the `services.docker-registry.extraConfig` object will be merged with `registryConfig` /cc @ironpinguin
Diffstat (limited to 'nixos/modules/services/misc/docker-registry.nix')
-rw-r--r-- | nixos/modules/services/misc/docker-registry.nix | 57 |
1 files changed, 18 insertions, 39 deletions
diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix index 4866ecf7793a..c0dbcf380db3 100644 --- a/nixos/modules/services/misc/docker-registry.nix +++ b/nixos/modules/services/misc/docker-registry.nix @@ -5,40 +5,26 @@ with lib; let cfg = config.services.dockerRegistry; - blogCache = if cfg.enableRedisCache - then "redis" - else "inmemory"; + blobCache = if cfg.enableRedisCache + then "redis" + else "inmemory"; registryConfig = { version = "0.1"; - log = { - fields = { - service = "registry"; - }; - }; + log.fields.service = "registry"; storage = { - cache = { - blobdescriptor = "${blogCache}"; - }; - filesystem = { - rootdirectory = "/var/lib/registry"; - }; - delete = { - enabled = cfg.enableDelete; - }; + cache.blobdescriptor = blobCache; + filesystem.rootdirectory = cfg.storagePath; + delete.enabled = cfg.enableDelete; }; http = { - addr = ":5000"; - headers = { - X-Content-Type-Options = "[nosniff]"; - }; + addr = ":${builtins.toString cfg.port}"; + headers.X-Content-Type-Options = ["nosniff"]; }; - health = { - storagedriver = { - enabled = true; - interval = "10s"; - threshold = 3; - }; + health.storagedriver = { + enabled = true; + interval = "10s"; + threshold = 3; }; }; @@ -98,7 +84,7 @@ in { redisPassword = mkOption { type = types.str; - default = "asecret"; + default = ""; description = "Set redis password."; }; @@ -112,21 +98,14 @@ in { }; config = mkIf cfg.enable { - environment.etc."docker/registry/config.yml".text = builtins.toJSON registryConfig; - systemd.services.docker-registry = { description = "Docker Container Registry"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - - environment = { - REGISTRY_HTTP_ADDR = "${cfg.listenAddress}:${toString cfg.port}"; - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY = cfg.storagePath; - } // cfg.extraConfig; - - script = '' - ${pkgs.docker-distribution}/bin/registry serve \ - /etc/docker/registry/config.yml + script = let + configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (registryConfig // cfg.extraConfig)); + in '' + ${pkgs.docker-distribution}/bin/registry serve ${configFile} ''; serviceConfig = { |