Erich Blume
251873906a
Fix the Facebook crawler spider trap by disabling Quartz SPA mode and removing the nginx fallback to index.html. Non-existent URLs now return 404.html instead of the root SPA shell, preventing infinite recursive crawling. Remove hand-curated category index files (tutorials.md, reference.md, how-to.md, explanation.md) — Quartz auto-generates folder pages. Drop docs-check-index and docs-check-filenames hooks. Update docs-check-links to allow path-based wiki-links and only error on true ambiguity. Remove robots.txt exclusions since they're no longer needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2.3 KiB
2.3 KiB
| title | modified | tags | ||
|---|---|---|---|---|
| Zot | 2026-02-21 |
|
Zot
OCI-native container registry providing pull-through cache and private image storage.
Quick Reference
| Property | Value |
|---|---|
| URL | https://registry.ops.eblu.me |
| Local Port | 5050 |
| Data | ~/zot |
| Config | ~/.config/zot/config.json |
| LaunchAgent | mcquack |
Namespace Convention
| Path | Source |
|---|---|
registry.ops.eblu.me/docker.io/* |
Cached from Docker Hub |
registry.ops.eblu.me/ghcr.io/* |
Cached from GHCR |
registry.ops.eblu.me/quay.io/* |
Cached from Quay |
registry.ops.eblu.me/blumeops/* |
Private images |
Pull-Through Cache
When cluster pulls an image, containerd checks zot first. If cached, returns immediately. If not, zot fetches from upstream, caches it, then returns.
Security Model
OIDC authentication via authentik, with API key support for CI. Three-tier access control:
| Role | Permissions | Use case |
|---|---|---|
| Anonymous | read | Pull images without auth |
artifact-workloads group |
read, create | CI push (new tags only, no overwrite/delete) |
admins group |
read, create, update, delete | Break-glass admin access |
CI authenticates with a zot API key generated from the zot-ci service account's OIDC session. The key is stored in the Forgejo Secrets 1Password item (field zot-ci-api) and synced to Forgejo Actions secrets via ansible.
API Key Rotation
The zot-ci API key expires every 90 days. To rotate:
- In Authentik admin UI, impersonate the
zot-ciuser - Visit
https://registry.ops.eblu.me— you'll land on the login page - Click "SIGN IN WITH OIDC" to authenticate as zot-ci
- Navigate to
https://registry.ops.eblu.me/user/apikey - Generate a new API key, copy it to clipboard
- Update 1Password:
pbpaste | op item edit "Forgejo Secrets" --vault blumeops "zot-ci-api[password]=-" - Sync to Forgejo:
mise run provision-indri -- --tags forgejo_actions_secrets
Related
- forgejo - Container build CI
- cluster - Registry consumer
- authentik - OIDC identity provider
- harden-zot-registry - Security hardening guide
- install-dagger-on-nix-runner - Why Dagger can't run on the Nix builder