services:
  registry:
    image: registry:2.8
    container_name: registry
    restart: unless-stopped
    networks:
      - traefik-public
    ports:
      - "0.0.0.0:5000:5000"
    environment:
      - TZ=Europe/Berlin
      - REGISTRY_STORAGE_DELETE_ENABLED=true
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
      - REGISTRY_HTTP_SECRET=${REGISTRY_HTTP_SECRET}
      # Storage configuration
      - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry
      # Garbage collection configuration (moved to config.yml if needed)
    volumes:
      - registry-data:/var/lib/registry
      - ./auth:/auth:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"

      # HTTP Router
      - "traefik.http.routers.registry.rule=Host(`${REGISTRY_DOMAIN:-registry.michaelschiemer.de}`)"
      - "traefik.http.routers.registry.entrypoints=websecure"
      - "traefik.http.routers.registry.tls=true"
      - "traefik.http.routers.registry.tls.certresolver=letsencrypt"

      # Service
      - "traefik.http.services.registry.loadbalancer.server.port=5000"

      # Middleware
      - "traefik.http.routers.registry.middlewares=default-chain@file"
    healthcheck:
      test: ["CMD-SHELL", "wget --spider -q --header='Authorization: Basic YWRtaW46cmVnaXN0cnktc2VjdXJlLXBhc3N3b3JkLTIwMjU=' http://localhost:5000/v2/ || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s

volumes:
  registry-data:
    name: registry-data

networks:
  traefik-public:
    external: true