58 lines
2.0 KiB
Org Mode
58 lines
2.0 KiB
Org Mode
:PROPERTIES:
|
|
:ID: 20221202T124113.404212
|
|
:END:
|
|
#+TITLE: Docker Containers on the Wobserver
|
|
#+FILETAGS: :CCE:
|
|
|
|
I don't really *want* to use [[roam:Docker]], but it's the most-supported way to get some services etc running on my server. This is kind of the Minimum Viable Docker...
|
|
|
|
The =htpasswd= file was generated locally and then copied to the server so that it doesn't make it in to any =nix store=... It has to be done with =apacheHttpd='s =htpasswd= like so: =sudo -u docker-registry htpasswd -B /srv/docker-registry/htpasswd rrix=.
|
|
|
|
#+ARROYO_NIXOS_MODULE: nixos/wobserver-docker.nix
|
|
#+ARROYO_SYSTEM_ROLE: server
|
|
#+AUTO_TANGLE: t
|
|
|
|
#+begin_src nix :tangle ~/arroyo-nix/nixos/wobserver-docker.nix
|
|
{ config, ... }:
|
|
|
|
let
|
|
cfg = config.services.dockerRegistry;
|
|
in{
|
|
virtualisation.containers = {
|
|
registries.search = ["docker.fontkeming.fail" "docker.io"];
|
|
storage.settings = {
|
|
storage.driver = "zfs";
|
|
};
|
|
};
|
|
virtualisation.oci-containers.backend = "docker";
|
|
|
|
services.dockerRegistry = {
|
|
enable = true;
|
|
enableGarbageCollect = true;
|
|
storagePath = "/srv/docker-registry/";
|
|
extraConfig = {
|
|
auth.htpasswd = {
|
|
# sudo htpasswd -B /srv/docker-registry/htpasswd rrix
|
|
realm = "basic-realm";
|
|
path = "/srv/docker-registry/htpasswd";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."docker.fontkeming.fail" = {
|
|
locations."/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
|
|
locations."/".extraConfig = ''
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https; # workaround for double-proxying https://github.com/distribution/distribution/issues/2862 ???
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
'';
|
|
extraConfig = ''
|
|
client_max_body_size 1G;
|
|
'';
|
|
};
|
|
}
|
|
#+end_src
|
|
|
|
There's a question of whether to set =virtualisation.oci-containers.backend= to docker or use Podman -- I'm tempted to just leave this until I don't need to.
|