services:
  registry:
    image: registry:2
    restart: always
    environment:
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM=Registry
      # We point this to a path that we will 'fake' inside the container
      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
      - REGISTRY_STORAGE_DELETE_ENABLED=true
      - REGISTRY_HTTP_SECRET=something_very_random_and_long
      # We pass the raw hash string here
      - HT_CONTENTS=${REGISTRY_AUTH_HTPASSWD_CONTENTS}
    # Create the file on the fly before the registry starts
    command: 
      - sh
      - -c
      - |
        mkdir -p /auth
        echo '${HT_CONTENTS}' > /auth/htpasswd
        exec bin/registry serve /etc/docker/registry/config.yml
      - /mnt/appdata/docker_registry/data:/var/lib/registry
    networks:
      - proxy-net
    labels:
      - traefik.enable=true
      - traefik.http.routers.registry.rule=Host(`registry.castaldifamily.com`)
      - traefik.http.routers.registry.entrypoints=websecure
      - traefik.http.routers.registry.tls.certresolver=cloudflare
      - traefik.http.services.registry.loadbalancer.server.port=5000

networks:
  proxy-net:
    name: proxy-net
    external: true