# Zot — OCI pull-through registry cache
# =============================================================================
# Single-instance pull-through cache for Docker Hub, lscr.io, ghcr.io, quay.io
#
# How it works:
#   - Each Docker host points its registry-mirror at http://100.83.230.112:5000
#   - On first pull, Zot fetches from upstream and caches locally
#   - Subsequent pulls on any host are served from local cache instantly
#   - No credentials required for public images
#
# Storage: /volume2/metadata/docker2/zot/ (NVMe RAID1 — fast, ~10-20GB steady state)
#
# Web UI:  http://100.83.230.112:5050 (browse cached images)
# Metrics: http://100.83.230.112:5050/metrics (Prometheus)
#
# Per-host mirror config (one-time, manual):
#   Atlantis/Calypso: Container Manager → Registry → Settings → Mirror
#   Other Linux hosts: /etc/docker/daemon.json → "registry-mirrors": ["http://100.83.230.112:5000"]
#
# To add credentials (Docker Hub authenticated pulls, ghcr.io):
#   Drop /volume2/metadata/docker2/zot/credentials.json on Atlantis
#   See docs/services/individual/zot.md for format
# =============================================================================

services:
  zot:
    image: ghcr.io/project-zot/zot-linux-amd64:latest
    container_name: zot
    restart: unless-stopped
    ports:
      - "5050:5000"
    volumes:
      - /volume2/metadata/docker2/zot/data:/var/lib/registry
      - /volume2/metadata/docker2/zot/config.json:/etc/zot/config.json:ro
      # credentials.json is optional — drop it on Atlantis to enable authenticated pulls
      # - /volume2/metadata/docker2/zot/credentials.json:/etc/zot/credentials.json:ro
    labels:
      - com.centurylinklabs.watchtower.enable=true