---
title: Zot
tags:
  - service
  - registry
---

# Zot

OCI-native container registry providing pull-through cache and private image storage.

## Quick Reference

| Property | Value |
|----------|-------|
| **URL** | https://registry.ops.eblu.me |
| **Local Port** | 5050 |
| **Data** | `~/zot` |
| **Config** | `~/.config/zot/config.json` |
| **LaunchAgent** | mcquack |

## Namespace Convention

| Path | Source |
|------|--------|
| `registry.ops.eblu.me/docker.io/*` | Cached from Docker Hub |
| `registry.ops.eblu.me/ghcr.io/*` | Cached from GHCR |
| `registry.ops.eblu.me/quay.io/*` | Cached from Quay |
| `registry.ops.eblu.me/blumeops/*` | Private images |

## Pull-Through Cache

When [[kubernetes/cluster\|minikube]] pulls an image:
1. Containerd checks zot first (`host.minikube.internal:5050`)
2. If cached, returns immediately
3. If not, zot fetches from upstream, caches, returns

## Private Images

```bash
# Build and push from gilbert
podman build -t registry.ops.eblu.me/blumeops/myapp:v1 .
podman push registry.ops.eblu.me/blumeops/myapp:v1

# Use in k8s manifest
image: registry.ops.eblu.me/blumeops/myapp:v1
```

## Security Model

Network access only (no authentication). Defense is the Tailscale ACL boundary.

## Useful Commands

```bash
# List all images
curl -s http://indri:5050/v2/_catalog | jq

# List tags
curl -s http://indri:5050/v2/blumeops/devpi/tags/list | jq
```

## Related

- [[forgejo\|Forgejo]] - Container build CI
- [[kubernetes/cluster\|Cluster]] - Registry consumer