first commit

2026-02-12 12:10:30 +01:00 · 2026-02-12 12:10:30 +01:00 · 272e2d6090
commit 272e2d6090
8 changed files with 400 additions and 0 deletions
--- a/README.md
+++ b/README.md
--- a/auth-app/Dockerfile
+++ b/auth-app/Dockerfile
@ -0,0 +1,12 @@
+FROM python:3.12-alpine
+
+WORKDIR /app
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+EXPOSE 5000
+
+CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "1", "app:app"]
--- a/auth-app/app.py
+++ b/auth-app/app.py
@ -0,0 +1,178 @@
+import os
+import sqlite3
+from functools import wraps
+
+import bcrypt as bc
+from flask import (
+    Flask,
+    flash,
+    redirect,
+    render_template,
+    request,
+    session,
+    url_for,
+)
+
+app = Flask(__name__)
+app.secret_key = os.environ.get("SECRET_KEY", "default-secret-key")
+
+ADMIN_USER = os.environ.get("ADMIN_USER", "admin")
+ADMIN_PASSWORD = os.environ.get("ADMIN_PASSWORD", "changeme")
+DB_PATH = os.environ.get("DB_PATH", "/data/users.db")
+HTPASSWD_PATH = os.environ.get("HTPASSWD_PATH", "/auth/htpasswd")
+
+
+def get_db():
+    conn = sqlite3.connect(DB_PATH)
+    conn.row_factory = sqlite3.Row
+    return conn
+
+
+def init_db():
+    os.makedirs(os.path.dirname(DB_PATH), exist_ok=True)
+    os.makedirs(os.path.dirname(HTPASSWD_PATH), exist_ok=True)
+    conn = get_db()
+    conn.execute(
+        """
+        CREATE TABLE IF NOT EXISTS users (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            username TEXT UNIQUE NOT NULL,
+            password_hash TEXT NOT NULL,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+        )
+        """
+    )
+    conn.commit()
+    conn.close()
+
+
+def hash_password(password):
+    """Hash password with bcrypt, using $2y$ identifier for htpasswd compatibility."""
+    hashed = bc.hashpw(password.encode("utf-8"), bc.gensalt(rounds=12))
+    return hashed.decode("utf-8").replace("$2b$", "$2y$", 1)
+
+
+def sync_htpasswd():
+    """Regenerate htpasswd file from all users in SQLite."""
+    conn = get_db()
+    users = conn.execute("SELECT username, password_hash FROM users").fetchall()
+    conn.close()
+    with open(HTPASSWD_PATH, "w") as f:
+        for user in users:
+            f.write(f"{user['username']}:{user['password_hash']}\n")
+
+
+def login_required(f):
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        if not session.get("logged_in"):
+            return redirect(url_for("login"))
+        return f(*args, **kwargs)
+
+    return decorated
+
+
+@app.route("/login", methods=["GET", "POST"])
+def login():
+    if request.method == "POST":
+        username = request.form.get("username", "")
+        password = request.form.get("password", "")
+        if username == ADMIN_USER and password == ADMIN_PASSWORD:
+            session["logged_in"] = True
+            return redirect(url_for("users"))
+        flash("Ungueltige Anmeldedaten.", "error")
+    return render_template("login.html")
+
+
+@app.route("/logout")
+def logout():
+    session.pop("logged_in", None)
+    return redirect(url_for("login"))
+
+
+@app.route("/")
+@login_required
+def users():
+    conn = get_db()
+    user_list = conn.execute(
+        "SELECT id, username, created_at FROM users ORDER BY username"
+    ).fetchall()
+    conn.close()
+    return render_template("users.html", users=user_list)
+
+
+@app.route("/add", methods=["POST"])
+@login_required
+def add_user():
+    username = request.form.get("username", "").strip()
+    password = request.form.get("password", "")
+
+    if not username or not password:
+        flash("Benutzername und Passwort sind erforderlich.", "error")
+        return redirect(url_for("users"))
+
+    if len(password) < 6:
+        flash("Passwort muss mindestens 6 Zeichen lang sein.", "error")
+        return redirect(url_for("users"))
+
+    password_h = hash_password(password)
+
+    conn = get_db()
+    try:
+        conn.execute(
+            "INSERT INTO users (username, password_hash) VALUES (?, ?)",
+            (username, password_h),
+        )
+        conn.commit()
+        sync_htpasswd()
+        flash(f'Benutzer "{username}" wurde erstellt.', "success")
+    except sqlite3.IntegrityError:
+        flash(f'Benutzer "{username}" existiert bereits.', "error")
+    finally:
+        conn.close()
+
+    return redirect(url_for("users"))
+
+
+@app.route("/password/<int:user_id>", methods=["POST"])
+@login_required
+def change_password(user_id):
+    password = request.form.get("password", "")
+
+    if not password or len(password) < 6:
+        flash("Passwort muss mindestens 6 Zeichen lang sein.", "error")
+        return redirect(url_for("users"))
+
+    password_h = hash_password(password)
+
+    conn = get_db()
+    conn.execute(
+        "UPDATE users SET password_hash = ? WHERE id = ?",
+        (password_h, user_id),
+    )
+    conn.commit()
+    conn.close()
+    sync_htpasswd()
+    flash("Passwort wurde geaendert.", "success")
+    return redirect(url_for("users"))
+
+
+@app.route("/delete/<int:user_id>", methods=["POST"])
+@login_required
+def delete_user(user_id):
+    conn = get_db()
+    user = conn.execute(
+        "SELECT username FROM users WHERE id = ?", (user_id,)
+    ).fetchone()
+    if user:
+        conn.execute("DELETE FROM users WHERE id = ?", (user_id,))
+        conn.commit()
+        sync_htpasswd()
+        flash(f'Benutzer "{user["username"]}" wurde geloescht.', "success")
+    conn.close()
+    return redirect(url_for("users"))
+
+
+# Initialize database and htpasswd on startup
+init_db()
+sync_htpasswd()
--- a/auth-app/requirements.txt
+++ b/auth-app/requirements.txt
@ -0,0 +1,3 @@
+flask>=3.0
+bcrypt>=4.0
+gunicorn>=21.0
--- a/auth-app/templates/base.html
+++ b/auth-app/templates/base.html
@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>{% block title %}Docker Registry{% endblock %}</title>
+    <style>
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; background: #f3f4f6; color: #1f2937; min-height: 100vh; }
+        header { background: #1e293b; color: #fff; padding: 1rem 2rem; display: flex; justify-content: space-between; align-items: center; }
+        header h1 { font-size: 1.25rem; font-weight: 600; }
+        header a { color: #94a3b8; text-decoration: none; font-size: 0.9rem; }
+        header a:hover { color: #fff; }
+        .container { max-width: 900px; margin: 2rem auto; padding: 0 1rem; }
+        .card { background: #fff; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); padding: 1.5rem; margin-bottom: 1.5rem; }
+        .card h2 { font-size: 1.1rem; margin-bottom: 1rem; color: #374151; }
+        .flash { padding: 0.75rem 1rem; border-radius: 6px; margin-bottom: 1rem; font-size: 0.9rem; }
+        .flash.success { background: #dcfce7; color: #166534; border: 1px solid #bbf7d0; }
+        .flash.error { background: #fef2f2; color: #991b1b; border: 1px solid #fecaca; }
+        table { width: 100%; border-collapse: collapse; }
+        th, td { text-align: left; padding: 0.75rem; border-bottom: 1px solid #e5e7eb; }
+        th { font-size: 0.8rem; text-transform: uppercase; color: #6b7280; font-weight: 600; }
+        tr:last-child td { border-bottom: none; }
+        input[type="text"], input[type="password"] { padding: 0.5rem 0.75rem; border: 1px solid #d1d5db; border-radius: 6px; font-size: 0.9rem; width: 100%; }
+        input:focus { outline: none; border-color: #2563eb; box-shadow: 0 0 0 3px rgba(37,99,235,0.1); }
+        .btn { padding: 0.5rem 1rem; border: none; border-radius: 6px; font-size: 0.85rem; cursor: pointer; font-weight: 500; }
+        .btn-primary { background: #2563eb; color: #fff; }
+        .btn-primary:hover { background: #1d4ed8; }
+        .btn-danger { background: #dc2626; color: #fff; }
+        .btn-danger:hover { background: #b91c1c; }
+        .btn-secondary { background: #6b7280; color: #fff; }
+        .btn-secondary:hover { background: #4b5563; }
+        .form-row { display: flex; gap: 0.75rem; align-items: end; }
+        .form-group { flex: 1; }
+        .form-group label { display: block; font-size: 0.8rem; font-weight: 600; color: #374151; margin-bottom: 0.25rem; }
+        .actions { display: flex; gap: 0.5rem; align-items: center; }
+        .inline-form { display: flex; gap: 0.5rem; align-items: center; }
+        .inline-form input { width: 150px; }
+        .empty { text-align: center; padding: 2rem; color: #9ca3af; }
+    </style>
+</head>
+<body>
+    <header>
+        <h1>Docker Registry</h1>
+        {% if session.get('logged_in') %}
+        <a href="{{ url_for('logout') }}">Abmelden</a>
+        {% endif %}
+    </header>
+    <div class="container">
+        {% with messages = get_flashed_messages(with_categories=true) %}
+        {% for category, message in messages %}
+        <div class="flash {{ category }}">{{ message }}</div>
+        {% endfor %}
+        {% endwith %}
+        {% block content %}{% endblock %}
+    </div>
+</body>
+</html>
--- a/auth-app/templates/login.html
+++ b/auth-app/templates/login.html
@ -0,0 +1,20 @@
+{% extends "base.html" %}
+{% block title %}Anmelden - Docker Registry{% endblock %}
+{% block content %}
+<div style="max-width: 400px; margin: 4rem auto;">
+    <div class="card">
+        <h2>Anmelden</h2>
+        <form method="post" action="{{ url_for('login') }}">
+            <div class="form-group" style="margin-bottom: 1rem;">
+                <label for="username">Benutzername</label>
+                <input type="text" id="username" name="username" required autofocus>
+            </div>
+            <div class="form-group" style="margin-bottom: 1rem;">
+                <label for="password">Passwort</label>
+                <input type="password" id="password" name="password" required>
+            </div>
+            <button type="submit" class="btn btn-primary" style="width: 100%;">Anmelden</button>
+        </form>
+    </div>
+</div>
+{% endblock %}
--- a/auth-app/templates/users.html
+++ b/auth-app/templates/users.html
@ -0,0 +1,70 @@
+{% extends "base.html" %}
+{% block title %}Benutzerverwaltung - Docker Registry{% endblock %}
+{% block content %}
+
+<div class="card">
+    <h2>Neuen Benutzer anlegen</h2>
+    <form method="post" action="{{ url_for('add_user') }}">
+        <div class="form-row">
+            <div class="form-group">
+                <label for="username">Benutzername</label>
+                <input type="text" id="username" name="username" required placeholder="z.B. deploy-user">
+            </div>
+            <div class="form-group">
+                <label for="password">Passwort</label>
+                <input type="password" id="password" name="password" required placeholder="Min. 6 Zeichen" minlength="6">
+            </div>
+            <div>
+                <button type="submit" class="btn btn-primary">Anlegen</button>
+            </div>
+        </div>
+    </form>
+</div>
+
+<div class="card">
+    <h2>Registry-Benutzer</h2>
+    {% if users %}
+    <table>
+        <thead>
+            <tr>
+                <th>Benutzername</th>
+                <th>Erstellt am</th>
+                <th>Passwort aendern</th>
+                <th></th>
+            </tr>
+        </thead>
+        <tbody>
+            {% for user in users %}
+            <tr>
+                <td><strong>{{ user.username }}</strong></td>
+                <td>{{ user.created_at }}</td>
+                <td>
+                    <form method="post" action="{{ url_for('change_password', user_id=user.id) }}" class="inline-form">
+                        <input type="password" name="password" placeholder="Neues Passwort" required minlength="6">
+                        <button type="submit" class="btn btn-secondary">Aendern</button>
+                    </form>
+                </td>
+                <td>
+                    <form method="post" action="{{ url_for('delete_user', user_id=user.id) }}"
+                          onsubmit="return confirm('Benutzer &quot;{{ user.username }}&quot; wirklich loeschen?')">
+                        <button type="submit" class="btn btn-danger">Loeschen</button>
+                    </form>
+                </td>
+            </tr>
+            {% endfor %}
+        </tbody>
+    </table>
+    {% else %}
+    <p class="empty">Noch keine Benutzer angelegt.</p>
+    {% endif %}
+</div>
+
+<div class="card">
+    <h2>Nutzung</h2>
+    <p style="font-size: 0.9rem; color: #6b7280; line-height: 1.6;">
+        Nach dem Anlegen eines Benutzers kann sich dieser mit <code>docker login {{ request.host }}</code> anmelden
+        und Images pushen/pullen.
+    </p>
+</div>
+
+{% endblock %}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,59 @@
+services:
+  caddy:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - ./data/caddy/data:/data
+      - ./data/caddy/config:/config
+    entrypoint: ["sh", "-c"]
+    command:
+      - |
+        echo '${DOMAIN} {
+          handle /v2/* {
+            reverse_proxy registry:5000
+          }
+          handle {
+            reverse_proxy auth:5000
+          }
+        }' | caddy run --adapter caddyfile --config -
+    depends_on:
+      - registry
+      - auth
+    networks:
+      - registry_net
+
+  registry:
+    image: registry:2
+    restart: unless-stopped
+    environment:
+      REGISTRY_AUTH: htpasswd
+      REGISTRY_AUTH_HTPASSWD_REALM: Docker Registry
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
+      REGISTRY_STORAGE_DELETE_ENABLED: "true"
+    volumes:
+      - ./data/registry:/var/lib/registry
+      - ./data/htpasswd:/auth:ro
+    networks:
+      - registry_net
+
+  auth:
+    build: ./auth-app
+    restart: unless-stopped
+    environment:
+      ADMIN_USER: ${ADMIN_USER}
+      ADMIN_PASSWORD: ${ADMIN_PASSWORD}
+      SECRET_KEY: ${SECRET_KEY}
+      DB_PATH: /data/users.db
+      HTPASSWD_PATH: /auth/htpasswd
+    volumes:
+      - ./data/auth:/data
+      - ./data/htpasswd:/auth
+    networks:
+      - registry_net
+
+networks:
+  registry_net: