# File: /volume1/np-dms/registry/docker-compose.yml
# DMS Container v1.8.6: Application name: lcbp3-registry
# Deploy on: ASUSTOR AS5403T
# Services: registry, portainer
# ============================================================
# ⚠️  ข้อกำหนด:
#     - ต้องสร้าง Docker Network ก่อน: docker network create lcbp3
#     - Registry ใช้ Port 5000 (domain: registry.np-dms.work)
#     - Portainer ใช้ Port 9443 (domain: portainer.np-dms.work)
# ============================================================
# 🔒 SECURITY (M6):
#   Registry เปิด htpasswd auth (ADR-016)
#   Prerequisite (ทำครั้งเดียวก่อน deploy):
#     docker run --rm --entrypoint htpasswd httpd:2 -Bbn \
#       "$REGISTRY_ADMIN_USER" "$REGISTRY_ADMIN_PASSWORD" \
#       > /volume1/np-dms/registry/auth/htpasswd
#   Env (.env): REGISTRY_ADMIN_USER, REGISTRY_ADMIN_PASSWORD
# ============================================================

x-restart: &restart_policy
  restart: unless-stopped

x-logging: &default_logging
  logging:
    driver: 'json-file'
    options:
      max-size: '10m'
      max-file: '5'
name: lcbp3-registry
networks:
  lcbp3:
    external: true

services:
  # 1. ตัวเก็บ Image (Docker Registry)
  registry:
    <<: [*restart_policy, *default_logging]
    image: registry:2
    container_name: registry
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 64M
    env_file:
      - /share/np-dms/registry/.env
    environment:
      TZ: 'Asia/Bangkok'
      # --- Storage ---
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
      # --- M6: htpasswd auth ---
      REGISTRY_AUTH: 'htpasswd'
      REGISTRY_AUTH_HTPASSWD_REALM: 'NP-DMS Registry'
      REGISTRY_AUTH_HTPASSWD_PATH: '/auth/htpasswd'
      REGISTRY_HTTP_SECRET: ${REGISTRY_HTTP_SECRET}
    # security_opt:
    #   - no-new-privileges:true
    ports:
      - '5000:5000'
    volumes:
      - '/volume1/np-dms/registry/data:/var/lib/registry'
      - '/volume1/np-dms/registry/auth:/auth:ro'
    healthcheck:
      # test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:5000/v2/']
      test: ["CMD", "nc", "-z", "localhost", "5000"]
      interval: 30s
      timeout: 10s
      retries: 3
    networks:
      - lcbp3

  # 2. UI สำหรับส่องดู Image
  registry-ui:
    <<: [*restart_policy, *default_logging]
    image: joxit/docker-registry-ui:2.5.7
    container_name: registry-ui
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 128M
    security_opt:
      - no-new-privileges:true
    ports:
      - '8880:80'
    environment:
      TZ: 'Asia/Bangkok'
      REGISTRY_TITLE: ${DMS_REGISTRY_TITLE}
      # REGISTRY_URL: 'http://registry:5000'
      NGINX_PROXY_PASS_URL: 'http://registry:5000'
      SINGLE_REGISTRY: 'true'
      DELETE_IMAGES: 'true'
      # --- เพิ่มส่วนนี้เพื่อให้ UI คุยกับ Registry ที่มี Auth ได้ ---
      # 1. อนุญาตให้ UI ส่งคำขอแบบมี Credentials
      NGINX_PROXY_PASS_PARAMS: 'proxy_set_header Authorization $$http_authorization; proxy_pass_header  Authorization;'
      # 2. กรณีต้องการให้ UI จำรหัสผ่าน (Basic Auth) ไว้เลย (ใช้ค่าจาก .env)
      REGISTRY_USER: ${DMS_REGISTRY_ADMIN_USER}
      REGISTRY_PASSWORD: ${DMS_REGISTRY_ADMIN_PASSWORD}

    depends_on:
      registry:
        condition: service_healthy
    networks:
      - lcbp3
    healthcheck:
      # test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:80/']
      test: ["CMD-SHELL", "wget --spider -q http://localhost/ || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3