From 496939bc711f98e0d5baf7e0874807123c975ae2 Mon Sep 17 00:00:00 2001 From: pynezz Date: Thu, 2 Oct 2025 19:44:16 +0200 Subject: [PATCH] initial zot setup --- README.md | 107 ++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 1 + zot-config.json | 22 ++++++++++ 3 files changed, 130 insertions(+) create mode 100644 README.md create mode 100644 VERSION create mode 100644 zot-config.json diff --git a/README.md b/README.md new file mode 100644 index 0000000..9622bcb --- /dev/null +++ b/README.md @@ -0,0 +1,107 @@ +# Registry: Zot + +[More information](https://zotregistry.dev/v2.1.8/) + +## Overview + +Zot is a lightweight, OCI-native container registry serving as the central image repository for this homelab. It provides a performant, self-hosted alternative to Docker Hub with built-in authentication, deduplication, and garbage collection. + +## Architecture Integration + +The registry operates within the NUC homelab infrastructure: + +- **Network Access**: External requests to `registry.pynezz.dev` hit the VPS Caddy, which proxies through WireGuard tunnel (10.100.100.0/24) to the NUC's internal Caddy on port 3333 +- **Internal Routing**: NUC Caddy routes `/registry/*` paths to the Zot container at `10.10.10.3:3000` +- **Container Runtime**: Managed via Podman with systemd integration for automatic restarts +- **Storage**: Persistent data stored in `./data` directory with filesystem deduplication enabled + +## Directory Structure + +```plaintext +zot/ +├── data/ # Registry blobs and metadata +│ ├── _blobs/ # Deduplicated image layers +│ └── _uploads/ # Temporary upload staging +└── zot-config.json # Main configuration +``` + +## Configuration Highlights + +Key settings in `zot-config.json`: + +- **Storage**: Deduplicated filesystem backend with garbage collection +- **Authentication**: htpasswd-based auth (credentials in config) +- **Network**: Listens on 0.0.0.0:3000 inside container +- **Extensions**: Search, scrub (integrity checks), and metrics enabled +- **Performance**: Caching enabled for metadata and converted manifests + +## Usage + +**Push images:** + +```bash +podman tag localhost/myapp:latest pkg.pynezz.dev/myapp:latest +podman push pkg.pynezz.dev/myapp:latest +``` + +**Pull images:** + +```bash +podman pull pkg.pynezz.dev/myapp:latest +``` + +**Login:** + +```bash +podman login pkg.pynezz.dev +``` + +## Maintenance + +- **Storage location**: `./data` should be backed up regularly +- **Garbage collection**: Runs automatically based on retention policy +- **Monitoring**: Metrics available at `:3000/metrics` for Prometheus scraping +- **Logs**: Check with `podman logs zot` or journald if systemd-managed + +## Security Considerations + +- Auth required for all operations (read/write) +- TLS terminated at VPS Caddy with Let's Encrypt certificates +- Internal communication over WireGuard encrypted tunnel +- Registry isolated in podman network, not exposed to home LAN directly + +## Performance Notes + +Deduplication significantly reduces storage overhead when pushing similar images. The NUC's single-core CPU handles typical homelab registry traffic efficiently, though concurrent large pushes may experience throttling due to the 512MB VPS relay point. + +``` + +``` + +``` + +``` + +``` + +``` + +``` + +``` + +[More information](https://zotregistry.dev/v2.1.8/) + +## directory structure + +```plaintext +Zot +|--data +L--zot-config.json +``` + +## zot-config + +```json +´´´ +``` diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..ebf14b4 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +2.1.8 diff --git a/zot-config.json b/zot-config.json new file mode 100644 index 0000000..a4d1c77 --- /dev/null +++ b/zot-config.json @@ -0,0 +1,22 @@ +{ + "storage": { + "rootDirectory": "/var/lib/zot" + }, + "http": { + "address": "0.0.0.0", + "port": 5000 + }, + "log": { + "level": "debug" + }, + "extensions": { + "search": { + "cve": { + "updateInterval": "2h" + } + }, + "ui": { + "enable": true + } + } +}