add cookbook for quay

cookbooks/quay/Makefile

@@ -0,0 +1,12 @@
+##
+## Makefile for Quay Container Registry quadlet
+##
+
+# Quay quadlet is mapped to the 10026 user (quay) and 10000 group (itix-svc)
+PROJECT_UID = 10026
+PROJECT_GID = 10000
+
+DEPENDENCIES = postgresql lego
+
+# Include common Makefile
+include ../../scripts/common.mk

cookbooks/quay/config/examples/app/config.yaml

@@ -0,0 +1,327 @@
+# Quay Container Registry configuration
+# Copy this file to /etc/quadlets/quay/app/config.yaml and customize it.
+#
+# For more information on configuration options, see:
+# - the json schema of the config tool: https://github.com/quay/app/blob/master/config-tool/utils/generate/schema.json
+# - the json schema of the Python core: https://github.com/quay/app/blob/master/util/config/schema.py
+
+# The URL at which Quay is accessible, without the scheme.
+SERVER_HOSTNAME: localhost
+
+# The URL scheme to use when hitting Quay. If Quay is behind SSL *at all*, this *must* be `https`
+PREFERRED_URL_SCHEME: https
+
+# SSL certificates for HTTPS.
+SSL_CERTFILE: /quay-registry/conf/stack/tls/ssl.crt
+SSL_KEYFILE: /quay-registry/conf/stack/tls/ssl.key
+
+# Secret key for signing database entries (generate a strong random value)
+DATABASE_SECRET_KEY: 'REDACTEDREDACTEDREDACTED'
+
+# Local filesystem storage for container images
+DISTRIBUTED_STORAGE_CONFIG:
+  default:
+    - LocalStorage
+    - storage_path: /datastorage/registry
+DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
+DISTRIBUTED_STORAGE_PREFERENCE:
+  - default
+
+# The authentication engine to use for credential authentication.
+AUTHENTICATION_TYPE: Database
+
+# The URI at which to access the database, including any credentials.
+DB_URI: postgresql://quay:quay@127.0.0.1:5432/quay
+
+# If specified, connection arguments for the database such as timeouts and SSL.
+# DB_CONNECTION_ARGS: 
+
+# Connection information for Redis for build logs caching
+BUILDLOGS_REDIS: 
+  host: localhost
+  password: quay
+  port: 6379
+
+# Connection information for Redis for user events caching
+USER_EVENTS_REDIS:
+  host: localhost
+  password: quay
+  port: 6379
+
+# Whether to allow the first user to be bootstrapped through API call.
+# If true, the first call to the /api/v1/user/initialize endpoint will create a user with the provided credentials, and this endpoint will be disabled after that. Defaults to False.
+# 
+# Tip: You can then create the first superuser with the following command:
+#
+# ```sh
+# ADMIN_PASSWORD='F00barbaz'
+# curl -vk -X POST https://localhost:8443/api/v1/user/initialize -H 'Content-Type: application/json' --data "{\"username\":\"quayadmin\",\"password\":\"${ADMIN_PASSWORD}\",\"email\": \"root@localhost\",\"access_token\": true}"
+# ```
+FEATURE_USER_INITIALIZE: true
+
+# Superusers have the following capabilities:
+# - User management
+# - Organization management
+# - Service key management
+# - Change log transparency
+# - Usage log management
+# - Globally-visible user message creation
+SUPER_USERS:
+  - quayadmin
+
+# Mark initial setup as complete
+SETUP_COMPLETE: true
+
+# Enable the new UI
+FEATURE_UI_V2: true
+
+# Restrict the API to only allow XHR calls from the browser. Defaults to False.
+BROWSER_API_CALLS_XHR_ONLY: false
+
+# Automatically create a namespace for each organization on push, if it doesn't already exist
+CREATE_NAMESPACE_ON_PUSH: true
+
+# Whether users can directly login to the UI. Defaults to True
+# FEATURE_DIRECT_LOGIN: true
+
+# Whether GitHub login is supported. Defaults to False
+# FEATURE_GITHUB_LOGIN: false
+
+# Whether Google login is supported. Defaults to False
+# FEATURE_GOOGLE_LOGIN: false
+
+# Whether users can be created (by non-super users). Defaults to True
+FEATURE_USER_CREATION: false
+
+# Whether users being created must be invited by another user. Defaults to False
+# FEATURE_INVITE_ONLY_USER_CREATION: false
+
+# If set to true, autocompletion will apply to partial usernames. Defaults to True
+# FEATURE_PARTIAL_USER_AUTOCOMPLETE: true
+
+# Whether to record the last time a user was accessed. Defaults to True
+# FEATURE_USER_LAST_ACCESSED: true
+
+# If set to true, users will have access to audit logs for their namespace. Defaults to False
+FEATURE_USER_LOG_ACCESS: true
+
+# Whether to collect and support user metadata. Defaults to False
+# FEATURE_USER_METADATA: false
+
+# If set to true, users can confirm their generated usernames. Defaults to True
+# FEATURE_USERNAME_CONFIRMATION: true
+
+# If set to true, users can rename their own namespace. Defaults to False
+FEATURE_USER_RENAME: true
+
+#  Whether to allow anonymous users to browse and pull public repositories. Defaults to True
+FEATURE_ANONYMOUS_ACCESS: false
+
+# The length of time a token for recovering a user accounts is valid. Defaults to 30m.
+# USER_RECOVERY_TOKEN_LIFETIME: 30m
+
+# The time after which a fresh login requires users to reenter their password
+# FRESH_LOGIN_TIMEOUT: 10m
+
+# Whether or not to rotate old action logs to storage. Defaults to False
+# FEATURE_ACTION_LOG_ROTATION: false
+
+# If action log archiving is enabled, the path in storage in which to place the archived data.
+# ACTION_LOG_ARCHIVE_PATH: 
+
+# If action log archiving is enabled, the storage engine in which to place the archived data.
+# ACTION_LOG_ARCHIVE_LOCATION: 
+
+# Whether to proxy all direct download URLs in storage via the registry nginx. Defaults to False
+# FEATURE_PROXY_STORAGE: false
+
+# Configuration for storage engine(s) to use in Quay. Each key is a unique ID for a storage engine, with the value being a tuple of the type and  configuration for that engine.
+# DISTRIBUTED_STORAGE_CONFIG: 
+
+# If specified, the long-form title for the registry. Defaults to `Red Hat Quay`.
+# REGISTRY_TITLE: Project Quay
+
+# If specified, the short-form title for the registry. Defaults to `Red Hat Quay`.
+# REGISTRY_TITLE_SHORT: Project Quay
+
+# Number of results returned per page by search page. Defaults to 10
+# SEARCH_RESULTS_PER_PAGE: 10
+
+# Maximum number of pages the user can paginate in search before they are limited. Defaults to 10
+# SEARCH_MAX_RESULT_PAGE_COUNT: 10
+
+# If specified, contact information to display on the contact page. If only a single piece of contact information is specified, the contact footer will link directly.
+# CONTACT_INFO: []
+
+# The types of avatars to display, either generated inline (local) or Gravatar (gravatar)
+# AVATAR_KIND: local
+
+# Custom branding for logos and URLs in the Quay UI
+# BRANDING: 
+
+# Root URL for documentation links
+# DOCUMENTATION_ROOT: 
+
+# Whether to allow for team membership to be synced from a backing group in the authentication engine (LDAP or Keystone)
+# FEATURE_TEAM_SYNCING: false
+
+# If enabled, non-superusers can setup syncing on teams to backing LDAP or Keystone. Defaults To False.
+# FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false
+
+# If team syncing is enabled for a team, how often to check its membership and resync if necessary (Default: 30m)
+# TEAM_RESYNC_STALE_TIME: 30m
+
+# If enabled, users can create tokens for use by the Docker CLI. Defaults to True
+# FEATURE_APP_SPECIFIC_TOKENS: true
+
+# Whether to turn of/off the security scanner. Defaults to False
+FEATURE_SECURITY_SCANNER: true
+
+# If 'SECURITY_SCANNER_V4_SIGN_JWT', Quay will sign JWTs with either the key provided by `SECURITY_SCANNER_V4_PSK' or the Quay instance's private key otherwise.
+SECURITY_SCANNER_V4_SIGN_JWT: true
+
+# The endpoint for the V2 security scanner
+# SECURITY_SCANNER_ENDPOINT: 
+
+# Whether or not to the security scanner notification feature
+# SECURITY_SCANNER_NOTIFICATIONS: false
+
+# The number of seconds between indexing intervals in the security scanner. Defaults to 30.
+# SECURITY_SCANNER_INDEXING_INTERVAL: 30
+
+# The endpoint for the V4 security scanner
+SECURITY_SCANNER_V4_ENDPOINT: http://localhost:6060
+
+# The namespaces to which the security scanner should be enabled for
+# SECURITY_SCANNER_V4_NAMESPACE_WHITELIST: []
+
+# If 'SECURITY_SCANNER_V4_SIGN_JWT', Quay will sign JWTs with either the key provided by `SECURITY_SCANNER_V4_PSK' (if specified here) or the Quay instance's private key otherwise.
+SECURITY_SCANNER_V4_PSK: 'REDACTEDREDACTEDREDACTED'
+
+# The issuer name to use in JWTs for the security scanner.
+SECURITY_SCANNER_ISSUER_NAME: security_scanner
+
+# Whether to support Dockerfile build. Defaults to True
+# FEATURE_BUILD_SUPPORT: 
+
+# Configuration for using BitBucket for build triggers
+# BITBUCKET_TRIGGER_CONFIG: 
+
+# Whether to support Bitbucket build triggers. Defaults to False
+# FEATURE_BITBUCKET_BUILD: false
+
+# Act as a proxy cache for upstream registries (e.g. Docker Hub, Quay.io, etc.)
+FEATURE_PROXY_CACHE: true
+
+# Logs model for action logs
+# LOGS_MODEL: database
+
+# Logs model config for action logs
+# LOGS_MODEL_CONFIG: 
+
+# Whether to support GitHub build triggers. Defaults to False
+# FEATURE_GITHUB_BUILD: false
+
+# Configuration for using GitHub (Enterprise) for build triggers
+# GITHUB_TRIGGER_CONFIG: 
+
+# Configuration for using GitHub (Enterprise) as an external login provider
+# GITHUB_LOGIN_CONFIG: 
+
+# Whether to support GitLab build triggers. Defaults to False
+# FEATURE_GITLAB_BUILD: false
+
+# Configuration for using Gitlab (Enterprise) for external authentication
+# GITLAB_TRIGGER_CONFIG: 
+
+# Configuration for using Google for external authentication
+# GOOGLE_LOGIN_CONFIG: 
+
+# The endpoint for JWT verification
+# JWT_VERIFY_ENDPOINT: 
+
+# The endpoint for JWT queries
+# JWT_QUERY_ENDPOINT: 
+
+# The endpoint for JWT users
+# JWT_GETUSER_ENDPOINT: 
+
+# The endpoint for JWT users
+# JWT_AUTH_ISSUER: 
+
+# Whether emails are enabled. Defaults to False
+FEATURE_MAILING: false
+
+# If TLS is supported, but terminated at a layer before Quay, must be true.
+# EXTERNAL_TLS_TERMINATION: false
+
+# Whether to enable support for repository mirroring. Defaults to False
+FEATURE_REPO_MIRROR: true
+
+# Require HTTPS and verify certificates of Quay registry during mirror. Defaults to True
+REPO_MIRROR_TLS_VERIFY: false
+
+# The number of seconds between checking for repository mirror candidates. Defaults to 30.
+# REPO_MIRROR_INTERVAL: 30
+
+# Replaces the SERVER_HOSTNAME as the destination for mirroring. Defaults to unset
+# REPO_MIRROR_SERVER_HOSTNAME: 
+
+# Maximum size in bytes of manifest list JSON to parse during mirroring. Prevents DoS via oversized manifests. Defaults to 10485760 (10MB).
+# REPO_MIRROR_MAX_MANIFEST_LIST_SIZE: 10485760
+
+# Maximum number of manifest entries to process during architecture-filtered mirroring. Prevents DoS via manifest lists with excessive entries. Defaults to 1000.
+# REPO_MIRROR_MAX_MANIFEST_ENTRIES: 1000
+
+# The SMTP server to use for sending e-mails. Only required if FEATURE_MAILING is set to true.
+# MAIL_SERVER: 
+
+# The SMTP port to use. If not specified, defaults to 587.
+# MAIL_PORT: 587
+
+# If set to true, no new User accounts may be created if their email domain is blacklisted.
+# FEATURE_BLACKLISTED_EMAILS: false
+
+# The array of email-address domains that is used if FEATURE_BLACKLISTED_EMAILS is set to true.
+# BLACKLISTED_EMAIL_DOMAINS: []
+
+# Whether or not to use authentication for mail server.
+# MAIL_USE_AUTH: false
+
+# The SMTP username to use when sending e-mails.
+# MAIL_USERNAME: 
+
+# The SMTP password to use when sending e-mails.
+# MAIL_PASSWORD: 
+
+# If specified, the e-mail address used as the `from` when Quay sends e-mails. If none, defaults to `support@quay.io`.
+# MAIL_DEFAULT_SENDER: support@quay.io
+
+# If specified, whether to use TLS for sending e-mails.
+# MAIL_USE_TLS: false
+
+# Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Defaults to True.
+# FEATURE_CHANGE_TAG_EXPIRATION: true
+
+# The options that users can select for expiration of tags in their namespace (if enabled)
+# TAG_EXPIRATION_OPTIONS: [2w]
+
+# The default, configurable tag expiration time for time machine. Defaults to `2w`.
+# DEFAULT_TAG_EXPIRATION: 2w
+
+# LDAP configuration for external authentication. Only required if AUTHENTICATION_TYPE is set to LDAP.
+# LDAP_ADMIN_DN: 
+# LDAP_ADMIN_PASSWD: 
+# LDAP_URI: ldap://localhost
+# LDAP_ALLOW_INSECURE_FALLBACK: false
+# LDAP_BASE_DN: 
+# LDAP_USER_RDN: []
+# LDAP_UID_ATTR: uid
+# LDAP_EMAIL_ATTR: mail
+# LDAP_USER_FILTER: 
+
+# If set to true, auto pruning of images is supported. Defaults to False
+# FEATURE_AUTO_PRUNE: true
+
+# Default org wide auto prune policy. Defaults to empty
+# DEFAULT_NAMESPACE_AUTOPRUNE_POLICY: 

cookbooks/quay/config/examples/clair/config.yaml

@@ -0,0 +1,31 @@
+# Clair vulnerability scanner configuration
+# Copy this file to /etc/quadlets/quay/clair-config.yaml and customize it.
+# See https://quay.github.io/clair/reference/config.html for the full reference.
+#
+# Clair runs in combo mode: indexer, matcher and notifier all run in a single
+# process sharing the same PostgreSQL database.
+
+http_listen_addr: ":6060"
+introspection_addr: ":8089"
+log_level: info
+
+indexer:
+  connstring: "host=127.0.0.1 port=5432 user=clair password=clair dbname=clair sslmode=disable"
+  migrations: true
+
+matcher:
+  connstring: "host=127.0.0.1 port=5432 user=clair password=clair dbname=clair sslmode=disable"
+  migrations: true
+  indexer_addr: http://localhost:6060
+
+notifier:
+  connstring: "host=127.0.0.1 port=5432 user=clair password=clair dbname=clair sslmode=disable"
+  migrations: true
+
+auth:
+  psk:
+    # Pre-shared key for Clair <-> Quay authentication (must match config.yaml)
+    key: 'REDACTEDREDACTEDREDACTED'
+    iss:
+      - quay
+      - clairctl

cookbooks/quay/config/examples/redis/redis.conf

@@ -0,0 +1,10 @@
+# Network settings
+port 6379
+bind 127.0.0.1
+
+# Set a password for Redis
+requirepass quay
+
+# Hybrid mode (AOF + RDB)
+appendonly yes
+aof-use-rdb-preamble yes

cookbooks/quay/config/examples/redis/redis.env

@@ -0,0 +1 @@
+REDISCLI_AUTH=quay

cookbooks/quay/config/quay_load_tls_certs.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -Eeuo pipefail
+
+if ls /var/lib/quadlets/lego/certificates/*.crt &> /dev/null; then
+    echo "Lego-issued certificates found, loading them for Quay..."
+    install -o 10026 -g 10000 -m 0600 $(ls /var/lib/quadlets/lego/certificates/*.crt | head -1) /etc/quadlets/quay/app/ssl.cert
+    install -o 10026 -g 10000 -m 0600 $(ls /var/lib/quadlets/lego/certificates/*.key | head -1) /etc/quadlets/quay/app/ssl.key
+elif [ ! -f /etc/quadlets/quay/app/ssl.cert ] && [ ! -f /etc/quadlets/quay/app/ssl.key ]; then
+    echo "No Lego-issued certificates found, generating self-signed certificates for Quay..."
+    openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/quadlets/quay/app/ssl.key -out /etc/quadlets/quay/app/ssl.cert -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost"
+    chown 10026:10000 /etc/quadlets/quay/app/ssl.{key,cert}
+    chmod 0600 /etc/quadlets/quay/app/ssl.{key,cert}
+fi

cookbooks/quay/other/postgresql/clair.sql

@@ -0,0 +1,4 @@
+-- Initialization script for Clair database and user
+CREATE USER clair WITH PASSWORD 'clair';
+CREATE DATABASE clair OWNER clair;
+GRANT ALL PRIVILEGES ON DATABASE clair TO clair;

cookbooks/quay/other/postgresql/quay.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -Eeuo pipefail
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+#    ie: docker_process_sql -f my-file.sql
+#    ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+        local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+        if [ -n "$POSTGRES_DB" ]; then
+                query_runner+=( --dbname "$POSTGRES_DB" )
+        fi
+
+        PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# Create the Quay database and user, and grant privileges
+docker_process_sql <<-'EOSQL'
+-- Initialization script for Quay database and user
+CREATE USER quay WITH PASSWORD 'quay';
+CREATE DATABASE quay OWNER quay;
+GRANT ALL PRIVILEGES ON DATABASE quay TO quay;
+EOSQL
+
+# Connect to the Quay database and create the pg_trgm extension, which is required by Quay
+export POSTGRES_USER=quay
+export POSTGRES_DB=quay
+docker_process_sql <<-'EOSQL'
+CREATE EXTENSION IF NOT EXISTS pg_trgm;
+EOSQL

cookbooks/quay/overlay.bu

@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: quay
+    uid: 10026
+    gecos: Quay Container Registry
+    home_dir: /var/lib/quadlets/quay
+    primary_group: itix-svc

cookbooks/quay/quay-app.container

@@ -0,0 +1,56 @@
+[Unit]
+Description=Quay Container Registry Application
+Documentation=https://docs.projectquay.io/
+After=network.target quay-redis.service quay-init-certificate.service var-lib-virtiofs-data.mount
+Requires=quay-redis.service quay-init-certificate.service var-lib-virtiofs-data.mount
+
+# Only start if Quay has been configured
+ConditionPathExists=/etc/quadlets/quay/app/config.yaml
+
+# Start/stop this unit when the target is started/stopped
+PartOf=quay.target
+
+[Container]
+ContainerName=quay-app
+Image=quay-app.image
+
+# Quay runs as the quay user (1001) inside the container
+User=1001
+Group=0
+
+# UID/GID mapping to map the quay (1001/0) user inside the container to arbitrary user 10026 / group 10000 on the host
+UIDMap=0:1000000:65535
+UIDMap=+1001:10026:1
+GIDMap=0:1000000:65535
+GIDMap=+0:10000:1
+
+# Network configuration
+Network=host
+
+# Storage
+Volume=/var/lib/virtiofs/data/quay/storage:/datastorage:Z
+
+# Configuration
+Volume=/etc/quadlets/quay/app:/quay-registry/conf/stack:Z,ro
+
+# Health check
+HealthCmd=curl -sk https://localhost:8443/health/instance
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=120s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=120
+TimeoutStopSec=30
+
+# Wait for PostgreSQL to be ready on localhost
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+# Wait for Redis to be ready on localhost
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/6379; then echo "Waiting for Redis to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+[Install]
+WantedBy=quay.target

cookbooks/quay/quay-app.image

@@ -0,0 +1,6 @@
+[Unit]
+Description=podman pull quay.io/projectquay/quay:3.17.1
+Documentation=https://docs.projectquay.io/
+
+[Image]
+Image=quay.io/projectquay/quay:3.17.1

cookbooks/quay/quay-clair.container

@@ -0,0 +1,44 @@
+[Unit]
+Description=Clair Vulnerability Scanner for Quay
+Documentation=https://quay.github.io/clair/
+After=network.target
+
+# Only start if Clair has been configured
+ConditionPathExists=/etc/quadlets/quay/clair/config.yaml
+
+# Start/stop this unit when the target is started/stopped
+PartOf=quay.target
+
+[Container]
+ContainerName=quay-clair
+Image=quay-clair.image
+
+# Clair runs as the nobody user (65534) inside the container
+User=65534
+Group=65534
+
+# UID/GID mapping to map the nobody (65534) user inside the container to arbitrary user 10026 / group 10000 on the host
+UIDMap=0:1000000:65535
+UIDMap=+65534:10026:1
+GIDMap=0:1000000:65535
+GIDMap=+65534:10000:1
+
+# Network configuration
+Network=host
+
+# Configuration
+Volume=/etc/quadlets/quay/clair:/etc/clair:Z,ro
+
+# Run Clair in combo mode (indexer + matcher + notifier in a single process)
+Exec=-conf /etc/clair/config.yaml
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=120
+
+# Wait for PostgreSQL to be ready on localhost
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+[Install]
+WantedBy=quay.target

cookbooks/quay/quay-clair.image

@@ -0,0 +1,6 @@
+[Unit]
+Description=podman pull quay.io/projectquay/clair:4.9.0
+Documentation=https://quay.github.io/clair/
+
+[Image]
+Image=quay.io/projectquay/clair:4.9.0

cookbooks/quay/quay-init-certificate.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Initialize Quay TLS certificates if not already present
+Before=quay-app.service
+After=lego.target
+
+# Start/stop this unit when the target is started/stopped
+PartOf=quay.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/etc/quadlets/quay/quay_load_tls_certs.sh
+
+[Install]
+WantedBy=quay.target

cookbooks/quay/quay-load-renewed-certificate.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Reload Quay TLS certificate after Lego renewal
+# Lego touches .renewed files when renewed certificates are available
+ConditionPathExistsGlob=/var/lib/quadlets/lego/certificates/*.renewed
+After=lego-renew.service
+
+[Service]
+Type=oneshot
+# Copy the renewed certificates to the Quay TLS directory
+ExecStart=/etc/quadlets/quay/quay_load_tls_certs.sh
+# Restart Quay to load the new certificate
+ExecStart=systemctl --no-block restart quay-app.service
+# Remove the flag files after restarting Quay
+ExecStartPost=/bin/sh -Eeuo pipefail -c 'rm -f /var/lib/quadlets/lego/certificates/*.renewed'
+
+[Install]
+WantedBy=lego-renew.service

cookbooks/quay/quay-redis.container

@@ -0,0 +1,49 @@
+[Unit]
+Description=Redis cache for Quay
+Documentation=https://hub.docker.com/_/redis
+After=network.target var-lib-virtiofs-data.mount
+Requires=var-lib-virtiofs-data.mount
+
+# Only start if Redis has been configured
+ConditionPathExists=/etc/quadlets/quay/redis/redis.env
+ConditionPathExists=/etc/quadlets/quay/redis/redis.conf
+
+# Start/stop this unit when the target is started/stopped
+PartOf=quay.target
+
+[Container]
+ContainerName=quay-redis
+Image=quay-redis.image
+
+# Network configuration
+Network=host
+
+# Redis configuration with authentication
+Exec=redis-server /usr/local/etc/redis/redis.conf
+
+# No need for root privileges
+User=10026
+Group=10000
+
+# Storage
+Volume=/var/lib/virtiofs/data/quay/redis:/data:Z
+Volume=/etc/quadlets/quay/redis/redis.conf:/usr/local/etc/redis/redis.conf:ro,Z
+
+# Health check
+HealthCmd=redis-cli -t 5 ping | grep -qFx PONG
+HealthInterval=30s
+HealthTimeout=5s
+HealthStartPeriod=10s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=300
+TimeoutStopSec=30
+
+# These environment variables are sourced to be used by systemd in the Exec* commands
+EnvironmentFile=/etc/quadlets/quay/redis/redis.env
+
+[Install]
+WantedBy=quay.target

cookbooks/quay/quay-redis.image

@@ -0,0 +1,5 @@
+[Unit]
+Description=podman pull docker.io/library/redis:7
+
+[Image]
+Image=docker.io/library/redis:7

cookbooks/quay/quay.target

@@ -0,0 +1,13 @@
+[Unit]
+Description=Quay Container Registry Target
+Documentation=https://docs.projectquay.io/
+Requires=quay-redis.service quay-clair.service quay-app.service quay-init-certificate.service
+After=quay-redis.service quay-clair.service quay-app.service quay-init-certificate.service
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+# Only start if Quay has been configured
+ConditionPathExists=/etc/quadlets/quay/config.yaml
+
+[Install]
+WantedBy=multi-user.target

cookbooks/quay/tmpfiles.d/quay.conf

@@ -0,0 +1,7 @@
+# Runtime directories for Quay
+d /run/quadlets/quay 0755 10026 10000 -
+d /run/quadlets/quay/tls 0700 10026 10000 -
+# Persistent data directories for Quay
+d /var/lib/virtiofs/data/quay 0700 10026 10000 -
+d /var/lib/virtiofs/data/quay/redis 0700 10026 10000 -
+d /var/lib/virtiofs/data/quay/storage 0700 10026 10000 -