misc: zot registry, k8s OIDC, server configs, sandbox experiments, and notes

- docker-30/zot: add Zot OCI registry with on-demand sync to docker.io, registry.k8s.io, ghcr.io, quay.io - kubernetes-kvm-terraform: wire Kanidm OIDC via structured AuthenticationConfiguration; add reference apiserver manifest and join-node-02 helper - servers: reorganize shadow/ under servers/, add saint vhost config and utility-101 VM definition, add shadow hrajfrisbee.cz vhost and storage-23 notes - experiments: add notes and configs for e2b dev VM, kata + firecracker on kube, microsandbox, orb-stack k3s (terraform + cloud-init), rke2 - vms/docker: document tailscale + node-exporter setup - blog: stub post on Gateway API - chore: gitignore tmp/, smtp_password, and the two local-only credential caches; add per-project .claude/settings.json Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:12:38 +02:00
parent 5ca27a832b
commit 80d0cc1168
34 changed files with 2814 additions and 1 deletions
--- a/docker-30/zot/config.yaml
+++ b/docker-30/zot/config.yaml
@@ -0,0 +1,52 @@
+distSpecVersion: "1.1.0"
+storage:
+  rootDirectory: /var/lib/zot
+  gc: true
+  gcDelay: "24h"
+  dedupe: true
+http:
+  address: 0.0.0.0
+  port: 5000
+  compat:
+  - docker2s2
+log:
+  # level: info
+  level: debug
+extensions:
+  ui:
+    enable: true
+  search:
+    enable: true
+  sync:
+    enable: true
+    credentialsFile: "/etc/zot/sync-credentials.json"
+    registries:
+      - urls: ["https://registry-1.docker.io"]
+        onDemand: true
+        tlsVerify: true
+        content:
+          - prefix: "library/**"
+            destination: "/docker.io/library"
+          - prefix: "democraticcsi/**"
+            destination: "/democraticcsi"
+          - prefix: "**"
+            destination: "/docker.io"
+
+      - urls: ["https://registry.k8s.io"]
+        onDemand: true
+        tlsVerify: true
+        content:
+          - prefix: "**"
+            destination: "/registry.k8s.io"
+      - urls: ["https://ghcr.io"]
+        onDemand: true
+        tlsVerify: true
+        content:
+          - prefix: "**"
+            destination: "/ghcr.io"
+      - urls: ["https://quay.io"]
+        onDemand: true
+        tlsVerify: true
+        content:
+          - prefix: "**"
+            destination: "/quay.io"