version: '3.8'

services:
  registry:
    image: registry:2
    container_name: registry
    restart: always
    networks:
      - mynetwork
    ports:
      - "127.0.0.1:5000:5000" # 暴露给外部用于 docker push
    volumes:
      - ./data:/var/lib/registry
    environment:
      # ✅ 这里的配置变得非常干净！
      # 因为走了 UI 的代理模式，Registry 不需要配置任何 CORS 头了
      # 只需要开启删除权限即可
      REGISTRY_STORAGE_DELETE_ENABLED: "true"

  ui:
    # 使用 latest (包含了 Nginx 后端)
    image: joxit/docker-registry-ui:latest
    container_name: registry-ui
    restart: always
    networks:
      - mynetwork
    ports:
      - "127.0.0.1:18080:80" # 浏览器访问入口
    environment:
      # ✅ 核心魔法：开启代理模式
      # 告诉 UI：后端 Registry 在哪？(走内网直接连 registry 容器)
      - NGINX_PROXY_PASS_URL=http://registry:5000
      
      # 开启这个模式，让 UI 变成单一仓库管理模式
      - SINGLE_REGISTRY=true
      
      # 允许删除
      - DELETE_IMAGES=true
      
      # 标题
      - REGISTRY_TITLE=My Private Registry

networks:
  mynetwork:
    external: true

server {
    listen 443 ssl http2;
    server_name hub-ui.jacin.me; # 你的新域名

    # --- SSL 证书配置 (沿用你之前的路径) ---
    ssl_certificate     /root/fast-proxy/ssl/origin.crt;
    ssl_certificate_key /root/fast-proxy/ssl/origin.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    # --- Cloudflare 真实 IP 配置 ---
    set_real_ip_from 0.0.0.0/0;
    real_ip_header CF-Connecting-IP;
    real_ip_recursive on;

    # --- 核心反代配置 ---
    location / {
        # 对应你 docker-compose 里的宿主机端口 3033
        proxy_pass http://127.0.0.1:18080;

        # 传递真实域名和 IP
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # 👇 加入这两行开启 Nginx 密码锁
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
        # --- WebSocket 支持 (MeTube 实时进度条需要) ---
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # --- 超时设置 (防止下载大文件时前端断开) ---
        proxy_read_timeout 6000s;
        proxy_send_timeout 6000s;
    }
}

server {
    listen 443 ssl http2;
    server_name hub.jacin.me; # 你的新域名

    # --- SSL 证书配置 (沿用你之前的路径) ---
    ssl_certificate     /root/fast-proxy/ssl/origin.crt;
    ssl_certificate_key /root/fast-proxy/ssl/origin.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    # --- Cloudflare 真实 IP 配置 ---
    set_real_ip_from 0.0.0.0/0;
    real_ip_header CF-Connecting-IP;
    real_ip_recursive on;
# 0 表示不限制大小（无限大），专门用于大文件上传
    client_max_body_size 0;
    # --- 核心反代配置 ---
    location / {
        # 对应你 docker-compose 里的宿主机端口 3033
        proxy_pass http://127.0.0.1:5000;

        # 传递真实域名和 IP
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # 👇 加入这两行开启 Nginx 密码锁
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
        # --- WebSocket 支持 (MeTube 实时进度条需要) ---
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # --- 超时设置 (防止下载大文件时前端断开) ---
        proxy_read_timeout 6000s;
        proxy_send_timeout 6000s;
    }
}

# 使用超小的 alpine 镜像作为基础
FROM alpine:latest

# 运行时的命令：打印一句话
CMD ["echo", "恭喜你！这是推送到 hub.jacin.me 的第一个程序！"]

# 构建镜像，并直接赋予它符合要求的名字
docker build -t hub.jacin.me/test-project/hello-world:v1 .

docker push hub.jacin.me/test-project/hello-world:v1