Harden zot registry, pt 1 #231

Merged

eblume merged 7 commits from feature/harden-zot-registry into main 2026-02-20 22:50:02 -08:00

Conversation 1 Commits 7 Files changed 28 +743 -30

eblume commented 2026-02-20 19:13:10 -08:00

Owner

Copy link

Summary

• Enable OIDC + API key authentication on zot with anonymous pull preserved
• Enforce tag immutability for version tags
• Adopt commit-SHA-based container image tagging

Details in the harden-zot-registry Mikado chain (mise run docs-mikado harden-zot-registry).

Test plan

• Anonymous pull still works
• Unauthenticated push fails (401)
• CI container builds pass with new auth and tagging
• mise run services-check passes

🤖 Generated with Claude Code

## Summary - Enable OIDC + API key authentication on zot with anonymous pull preserved - Enforce tag immutability for version tags - Adopt commit-SHA-based container image tagging Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`). ## Test plan - [ ] Anonymous pull still works - [ ] Unauthenticated push fails (401) - [ ] CI container builds pass with new auth and tagging - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-02-20 19:13:10 -08:00

Add version-infrastructure prereqs to harden-zot-registry Mikado chain ... 0da5d8906c

Analysis of adopt-commit-based-container-tags revealed three new prerequisites:
- pin-container-versions: add version ARGs to devpi, cv, quartz Dockerfiles
- add-dagger-nix-build: Dagger functions for nix container builds and version extraction
- add-container-version-sync-check: pre-commit hook enforcing version consistency
  across Dockerfile ARGs, service-versions.yaml, and nix derivations

Eliminated the need for separate VERSION files — existing sources (Dockerfile
ARGs, nix derivations, service-versions.yaml) are the source of truth, with a
sync check enforcing consistency.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 2 commits 2026-02-20 19:47:18 -08:00

Add Dagger build_nix and nix_version functions ... 1556f86779

build_nix: builds nix containers inside nixos/nix:2.33.3 via Dagger,
resolving nixpkgs from the flake registry. Returns docker-archive tarball.

nix_version: extracts package version from nixpkgs (e.g., authentik ->
2025.10.1). Used by the container version sync check.

Tested: nettest builds successfully, ntfy-sh and authentik versions resolve.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Update docs to reference new Dagger nix build functions ... 2b296b34a6

- dagger.md: add build_nix, nix_version, flake_lock to functions table
- build-container-image.md: document Dagger as local nix build option
- build-authentik-container.md: mention Dagger build path
- Mark add-dagger-nix-build card complete

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 19:58:56 -08:00

Pin container versions for devpi, cv, and quartz ... 4cee46924d

- devpi: Pin devpi-server==6.19.1 and devpi-web==5.0.1
- cv: Add ARG CV_VERSION=0.1.0
- quartz: Add ARG QUARTZ_VERSION=0.1.0
- Update service-versions.yaml with new version values
- Mark pin-container-versions Mikado card as complete

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume force-pushed feature/harden-zot-registry from 4cee46924d to 16a804b80b 2026-02-20 20:13:59 -08:00 Compare

eblume force-pushed feature/harden-zot-registry from 16a804b80b to d368a07876 2026-02-20 20:25:01 -08:00 Compare

eblume added 1 commit 2026-02-20 21:01:20 -08:00

Add container-version-check pre-commit hook and populate service versions ... 6004652407

Introduces a typer-based mise task that validates version consistency
across Dockerfiles, nix derivations, and service-versions.yaml for all
tracked containers. Populates current-version for all hybrid services.

Discovered ntfy nix version skew (2.15.0 vs Dockerfile 2.17.0) — fixing
forward with ntfy excluded from nix checks and a new Mikado dependency
card (fix-ntfy-nix-version) to resolve it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 22:19:18 -08:00

Build ntfy nix container from forge mirror at v2.17.0 ... b98c6c1b3f

The nixpkgs ntfy-sh package is pinned at 2.15.0, creating a version
skew with the Dockerfile (v2.17.0). Replace the pkgs.ntfy-sh reference
with a custom derivation using fetchgit, buildNpmPackage, and
buildGoModule targeting the forge mirror. Update container-version-check
to extract versions from local nix files via regex before falling back
to the Dagger nix-version function.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 22:22:20 -08:00

Complete add-container-version-sync-check Mikado card ... 747e99f466

All verification items pass: mismatch detection confirmed, ntfy nix
version resolved. All three prereqs (pin-container-versions,
add-dagger-nix-build, fix-ntfy-nix-version) are complete.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume changed title from Harden zot registry to Harden zot registry, pt 1 2026-02-20 22:49:15 -08:00

eblume commented 2026-02-20 22:49:38 -08:00

Author

Owner

Copy link

we're going to cut this short here to let all of these containers build.

we're going to cut this short here to let all of these containers build.

eblume merged commit 0e2c10176d into main 2026-02-20 22:50:02 -08:00

eblume referenced this pull request from a commit 2026-02-20 22:50:02 -08:00

Harden zot registry, pt 1 (#231)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!231

No description provided.