From f8f3dd5f83b568aef3f9f6f80f9c4ddc71505b65 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 8 Jul 2025 11:30:03 -0500
Subject: [PATCH] docker-proxy: Deploy a proxy/cache for Docker Hub

Docker Hub's rate limits are so low now that they've started to affect
my home lab.  Deploying a caching proxy and directing all pull requests
through it should prevent exceeding the limit.  It will also help
prevent containers from starting if access to the Internet is down, as
long as their images have been cached recently.
---
 docker-proxy.yml                              |  6 +++
 group_vars/docker-proxy.yml                   | 10 +++++
 .../files/dockerhub-proxy-cache.conf          |  2 +
 .../files/dockerhub-proxy.conf                | 17 +++++++++
 roles/dockerhub-proxy/meta/main.yml           |  4 ++
 roles/dockerhub-proxy/tasks/main.yml          | 38 +++++++++++++++++++
 site.yml                                      |  1 +
 7 files changed, 78 insertions(+)
 create mode 100644 docker-proxy.yml
 create mode 100644 group_vars/docker-proxy.yml
 create mode 100644 roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf
 create mode 100644 roles/dockerhub-proxy/files/dockerhub-proxy.conf
 create mode 100644 roles/dockerhub-proxy/meta/main.yml
 create mode 100644 roles/dockerhub-proxy/tasks/main.yml

diff --git a/docker-proxy.yml b/docker-proxy.yml
new file mode 100644
index 0000000..1f8ca3c
--- /dev/null
+++ b/docker-proxy.yml
@@ -0,0 +1,6 @@
+- hosts: docker-proxy
+  roles:
+  - lego-nginx
+  - role: dockerhub-proxy
+    tags:
+    - dockerhub-proxy
diff --git a/group_vars/docker-proxy.yml b/group_vars/docker-proxy.yml
new file mode 100644
index 0000000..b163e57
--- /dev/null
+++ b/group_vars/docker-proxy.yml
@@ -0,0 +1,10 @@
+data_volumes:
+- dev: /dev/vdb
+  fstype: ext4
+  mountpoint: /var/cache
+nginx_ssl_certificate: /var/lib/lego/certificates/{{ lego_domains[0] }}.crt
+nginx_ssl_certificate_key: /var/lib/lego/certificates/{{ lego_domains[0] }}.key
+lego_acme_server: https://ca.pyrocufflink.blue/acme/acme/directory
+lego_acme_email: '{{ ansible_hostname }}@pyrocufflink.net'
+lego_domains:
+- docker-hub.proxy.pyrocufflink.blue
diff --git a/roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf b/roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf
new file mode 100644
index 0000000..5f65628
--- /dev/null
+++ b/roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf
@@ -0,0 +1,2 @@
+# vim: set ft=nginx.conf :
+proxy_cache_path /var/cache/nginx/docker levels=1:2 keys_zone=docker_cache:100m max_size=10g inactive=60m use_temp_path=off;
diff --git a/roles/dockerhub-proxy/files/dockerhub-proxy.conf b/roles/dockerhub-proxy/files/dockerhub-proxy.conf
new file mode 100644
index 0000000..0749b40
--- /dev/null
+++ b/roles/dockerhub-proxy/files/dockerhub-proxy.conf
@@ -0,0 +1,17 @@
+# vim: set ft=nginx.conf :
+location /v2/ {
+    proxy_pass https://registry-1.docker.io;
+
+    proxy_set_header Host registry-1.docker.io;
+    proxy_ssl_server_name on;
+
+    proxy_cache docker_cache;
+    proxy_cache_valid 200 302 60m;
+    proxy_cache_valid 404 10m;
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+    proxy_buffers 8 16k;
+    proxy_buffer_size 32k;
+
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+}
diff --git a/roles/dockerhub-proxy/meta/main.yml b/roles/dockerhub-proxy/meta/main.yml
new file mode 100644
index 0000000..3ebd2a7
--- /dev/null
+++ b/roles/dockerhub-proxy/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+- role: nginx
+  tags:
+  - nginx
diff --git a/roles/dockerhub-proxy/tasks/main.yml b/roles/dockerhub-proxy/tasks/main.yml
new file mode 100644
index 0000000..6810373
--- /dev/null
+++ b/roles/dockerhub-proxy/tasks/main.yml
@@ -0,0 +1,38 @@
+- name: ensure nginx is allowed to proxy
+  seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  tags:
+  - selinux
+
+- name: ensure nginx docker proxy cache directory exists
+  file:
+    path: /var/cache/nginx/docker
+    owner: nginx
+    group: nginx
+    mode: u=rwx,go=
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure nginx docker proxy cache path is configured
+  copy:
+    src: dockerhub-proxy-cache.conf
+    dest: /etc/nginx/conf.d/
+  notify:
+  - reload nginx
+  tags:
+  - nginx-config
+
+- name: ensure nginx is configured to proxy for docker hub
+  copy:
+    src: dockerhub-proxy.conf
+    dest: /etc/nginx/default.d/dockerhub-proxy.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload nginx
+  tags:
+  - nginx-config
diff --git a/site.yml b/site.yml
index 4671029..89e7976 100644
--- a/site.yml
+++ b/site.yml
@@ -14,3 +14,4 @@
 - import_playbook: unifi.yml
 - import_playbook: victoria-logs.yml
 - import_playbook: restic.yml
+- import_playbook: docker-proxy.yml