diff options
| author | unitexe <unitexe70@gmail.com> | 2026-01-13 00:57:55 -0600 |
|---|---|---|
| committer | unitexe <unitexe70@gmail.com> | 2026-01-13 00:57:55 -0600 |
| commit | 4281486e3456788f6bae22a86a5a7b7ed566b92c (patch) | |
| tree | 6c39ba67c7ec721d84aec2b6657fb0acf2e8c538 /meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen | |
| parent | 60fe98ebdd3a3a70871db1fe47427399f785c1ec (diff) | |
Rootful registry quadlet with TLS support
Diffstat (limited to 'meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen')
2 files changed, 46 insertions, 0 deletions
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service new file mode 100644 index 0000000..07c2b87 --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.service @@ -0,0 +1,13 @@ +[Unit] +Description=Generate registry TLS keys for device +ConditionPathExists=!/etc/registry/domain.crt +ConditionPathExists=!/etc/registry/domain.key +After=time-sync.target +Wants=time-sync.target systemd-time-wait-sync.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/regkeygen.sh + +[Install] +WantedBy=multi-user.target diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh new file mode 100644 index 0000000..5edf519 --- /dev/null +++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-core/systemd/systemd-regkeygen/regkeygen.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +set -e + +echo "Generating TLS certificate and key for local registry..." + +mkdir -p /etc/registry +openssl req -x509 -newkey ec \ + -pkeyopt ec_paramgen_curve:P-256 \ + -keyout /etc/registry/domain.key \ + -out /etc/registry/domain.crt \ + -days 365 \ + -nodes \ + -subj '/C=US/ST=Minnesota/L=St. Paul/O=Closed Circuit Consulting/OU=/CN=localhost/emailAddress=unitexe70@gmail.com' \ + -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1,IP:::1' + +echo "Setting permissions on generated artifacts..." + +chmod 640 /etc/registry/domain.key +chmod 644 /etc/registry/domain.crt + +echo "Adding CA to system trust store..." + +mkdir -p /usr/local/share/ca-certificates +cp /etc/registry/domain.crt /usr/local/share/ca-certificates/registry.crt +update-ca-certificates + +echo "Adding CA to containers trust store..." + +mkdir -p /etc/containers/certs.d/localhost:5000/ +cp /etc/registry/domain.crt /etc/containers/certs.d/localhost:5000/ca.crt + +echo "Registry TLS configuration created and ready for use" |