docker-proxy: Deploy a proxy/cache for Docker Hub

Docker Hub's rate limits are so low now that they've started to affect my home lab. Deploying a caching proxy and directing all pull requests through it should prevent exceeding the limit. It will also help prevent containers from starting if access to the Internet is down, as long as their images have been cached recently.
2025-07-08 11:30:03 -05:00 · 2025-07-08 11:30:03 -05:00 · f8f3dd5f83
parent 6d1442faf0
commit f8f3dd5f83
7 changed files with 78 additions and 0 deletions
--- a/docker-proxy.yml
+++ b/docker-proxy.yml
@ -0,0 +1,6 @@
+- hosts: docker-proxy
+  roles:
+  - lego-nginx
+  - role: dockerhub-proxy
+    tags:
+    - dockerhub-proxy
--- a/group_vars/docker-proxy.yml
+++ b/group_vars/docker-proxy.yml
@ -0,0 +1,10 @@
+data_volumes:
+- dev: /dev/vdb
+  fstype: ext4
+  mountpoint: /var/cache
+nginx_ssl_certificate: /var/lib/lego/certificates/{{ lego_domains[0] }}.crt
+nginx_ssl_certificate_key: /var/lib/lego/certificates/{{ lego_domains[0] }}.key
+lego_acme_server: https://ca.pyrocufflink.blue/acme/acme/directory
+lego_acme_email: '{{ ansible_hostname }}@pyrocufflink.net'
+lego_domains:
+- docker-hub.proxy.pyrocufflink.blue
--- a/roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf
+++ b/roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf
@ -0,0 +1,2 @@
+# vim: set ft=nginx.conf :
+proxy_cache_path /var/cache/nginx/docker levels=1:2 keys_zone=docker_cache:100m max_size=10g inactive=60m use_temp_path=off;
--- a/roles/dockerhub-proxy/files/dockerhub-proxy.conf
+++ b/roles/dockerhub-proxy/files/dockerhub-proxy.conf
@ -0,0 +1,17 @@
+# vim: set ft=nginx.conf :
+location /v2/ {
+    proxy_pass https://registry-1.docker.io;
+
+    proxy_set_header Host registry-1.docker.io;
+    proxy_ssl_server_name on;
+
+    proxy_cache docker_cache;
+    proxy_cache_valid 200 302 60m;
+    proxy_cache_valid 404 10m;
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+    proxy_buffers 8 16k;
+    proxy_buffer_size 32k;
+
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+}
--- a/roles/dockerhub-proxy/meta/main.yml
+++ b/roles/dockerhub-proxy/meta/main.yml
@ -0,0 +1,4 @@
+dependencies:
+- role: nginx
+  tags:
+  - nginx
--- a/roles/dockerhub-proxy/tasks/main.yml
+++ b/roles/dockerhub-proxy/tasks/main.yml
@ -0,0 +1,38 @@
+- name: ensure nginx is allowed to proxy
+  seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  tags:
+  - selinux
+
+- name: ensure nginx docker proxy cache directory exists
+  file:
+    path: /var/cache/nginx/docker
+    owner: nginx
+    group: nginx
+    mode: u=rwx,go=
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure nginx docker proxy cache path is configured
+  copy:
+    src: dockerhub-proxy-cache.conf
+    dest: /etc/nginx/conf.d/
+  notify:
+  - reload nginx
+  tags:
+  - nginx-config
+
+- name: ensure nginx is configured to proxy for docker hub
+  copy:
+    src: dockerhub-proxy.conf
+    dest: /etc/nginx/default.d/dockerhub-proxy.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload nginx
+  tags:
+  - nginx-config
--- a/site.yml
+++ b/site.yml
@ -14,3 +14,4 @@
 - import_playbook: unifi.yml
 - import_playbook: victoria-logs.yml
 - import_playbook: restic.yml
+- import_playbook: docker-proxy.yml