git - drone - ghost - guacamole - rocket chat https://sigyl.com/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.
 
 
 
 
 

596 lines
17 KiB

  1. version: "3.7"
  2. services:
  3. letsencrypt-git:
  4. # nginx reverse proxy for all apps (except drone in a subdomain)
  5. # automatically obtains and refreshes ssl certificates with letsencrypt
  6. deploy:
  7. placement:
  8. constraints: [node.labels.com.sigyl.git-stack == yes]
  9. replicas: 1
  10. restart_policy:
  11. condition: any
  12. image: ${LOCAL_DOCKER_REGISTRY}letsencrypt-git
  13. environment:
  14. - CERTBOT_EMAIL=${CERTBOT_EMAIL}
  15. - SERVER_NAME=${GIT_DOMAIN}
  16. - GIT_PROXY_PASS=http://gitea:3000/
  17. - BLOG_PROXY_PASS=http://ghost:2368/
  18. - CHAT_PROXY_PASS=http://chat:3000/
  19. - COMMENTO_PROXY_PASS=http://commento:8080/
  20. - REMOTE_PROXY_PASS=http://guacamole:8080/guacamole/
  21. - DRONE_PROXY_PASS=http://drone-server:8080/
  22. - REGISTRY_PROXY_PASS=http://registry-1:5000
  23. - PORTAINER_PROXY_PASS=http://portainer:9000/
  24. - PORTAINER_LOCATION=/portainer/
  25. - MATOMO_PROXY_PASS=http://matomo-web/
  26. - MATOMO_LOCATION=/analytics/
  27. - NAGIOS_PROXY_PASS=http://nagios/
  28. - NAGIOS_LOCATION=/nagios/
  29. - ZABBIX_PROXY_PASS=http://zabbix-web:8080/
  30. - ZABBIX_LOCATION=/zabbix/
  31. - GIT_LOCATION=/git/
  32. - BLOG_LOCATION=/
  33. - CHAT_LOCATION=/chat/
  34. - COMMENTO_LOCATION=/comment/
  35. - REMOTE_LOCATION=/remote/
  36. - DRONE_SERVER_HOST=$DRONE_SERVER_HOST
  37. - TITLE=$TITLE
  38. - DESCRIPTION=$DESCRIPTION
  39. - DRONE_REPO_LINK=$DRONE_REPO_LINK
  40. - DRONE_COMMIT=$DRONE_COMMIT
  41. volumes:
  42. - letsencrypt-git:/etc/letsencrypt
  43. networks:
  44. - appnet
  45. ports:
  46. - 80:80
  47. - 443:443
  48. - 5000:5000
  49. - 5001:5001
  50. - 5005:5005
  51. letsencrypt-drone:
  52. # reverse proxy for drone in a subdomain
  53. deploy:
  54. placement:
  55. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  56. replicas: 0
  57. restart_policy:
  58. condition: any
  59. image: ${LOCAL_DOCKER_REGISTRY}letsencrypt-drone
  60. environment:
  61. - CERTBOT_EMAIL=${CERTBOT_EMAIL}
  62. - SERVER_NAME=${DRONE_DOMAIN}
  63. - PROXY_PASS=http://drone-server:8080/
  64. volumes:
  65. - letsencrypt-drone:/etc/letsencrypt
  66. networks:
  67. - appnet
  68. gitea:
  69. # gitea application
  70. deploy:
  71. placement:
  72. constraints: [node.labels.com.sigyl.git-stack == yes]
  73. replicas: 1
  74. restart_policy:
  75. condition: any
  76. image: ${LOCAL_DOCKER_REGISTRY}gitea
  77. environment:
  78. - USER_UID=1000
  79. - USER_GID=1000
  80. - ROOT_URL=https://${GIT_DOMAIN}/git
  81. - SSH_DOMAIN=${GIT_DOMAIN}
  82. - GITEA_APP_NAME=${GITEA_APP_NAME}
  83. - GIT_DOMAIN=${GIT_DOMAIN}
  84. - GITEA_SERVER_LFS_JWT_SECRET=$GITEA_SERVER_LFS_JWT_SECRET
  85. - GITEA_SECURITY_SECRET_KEY=$GITEA_SECURITY_SECRET_KEY
  86. - GITEA_SECURITY_INTERNAL_TOKEN=$GITEA_SECURITY_INTERNAL_TOKEN
  87. - GITEA_OAUTH2_JWT_SECRET=$GITEA_OAUTH2_JWT_SECRET
  88. - GITEA_MAILER_HOST=$GITEA_MAILER_HOST
  89. - GITEA_MAILER_USER=$GITEA_MAILER_USER
  90. - GITEA_MAILER_FROM=$GITEA_MAILER_FROM
  91. - GITEA_MAILER_PASSWD=$GITEA_MAILER_PASSWD
  92. volumes:
  93. - gitea-app:/data
  94. ports:
  95. - 3000:3000
  96. - 22:22
  97. networks:
  98. - appnet
  99. ngrok:
  100. # ngrok tunnel client
  101. deploy:
  102. placement:
  103. constraints: [node.labels.com.sigyl.git-stack == yes]
  104. replicas: 0
  105. restart_policy:
  106. condition: any
  107. image: ${LOCAL_DOCKER_REGISTRY}ngrok-gitea
  108. ports:
  109. - "4040:4040"
  110. environment:
  111. - GIT_DOMAIN=${GIT_DOMAIN}
  112. - DRONE_DOMAIN=${DRONE_DOMAIN}
  113. - REMOTE_DOMAIN=${REMOTE_DOMAIN}
  114. - BLOG_DOMAIN=${BLOG_DOMAIN}
  115. - CHAT_DOMAIN=${CHAT_DOMAIN}
  116. - NGROK_AUTH_TOKEN=${NGROK_AUTH_TOKEN}
  117. networks:
  118. - appnet
  119. drone-server:
  120. # drone server application
  121. deploy:
  122. placement:
  123. constraints: [node.labels.com.sigyl.git-stack == yes]
  124. replicas: 1
  125. restart_policy:
  126. condition: any
  127. image: drone/drone:1.7.0
  128. volumes:
  129. - drone:/var/lib/drone
  130. - drone-data:/data
  131. environment:
  132. - DRONE_LOGS_DEBUG=true
  133. - DRONE_LOGS_PRETTY=true
  134. - DRONE_GITEA_SERVER=${DRONE_GITEA_SERVER}
  135. - DRONE_GITEA_CLIENT_ID=${DRONE_GITEA_CLIENT_ID}
  136. - DRONE_GITEA_CLIENT_SECRET=${DRONE_GITEA_CLIENT_SECRET}
  137. - DRONE_SERVER_HOST=${DRONE_SERVER_HOST} # tunnel hostname
  138. - DRONE_ADMIN=giles
  139. - DRONE_SERVER_PROTO=https # tunnel adds https on top
  140. - DRONE_SERVER_PORT=:8080
  141. - DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
  142. - DRONE_USER_CREATE=username:giles,admin:true
  143. - DRONE_AGENTS_ENABLED=true
  144. - DRONE_CONVERT_PLUGIN_ENDPOINT=http://drone-starlark:3000
  145. - DRONE_CONVERT_PLUGIN_SECRET=${DRONE_CONVERT_SECRET}
  146. networks:
  147. - appnet
  148. drone-docker-runner:
  149. # drone runner performs builds
  150. deploy:
  151. placement:
  152. constraints: [node.labels.com.sigyl.git-stack == yes]
  153. replicas: 1
  154. restart_policy:
  155. condition: any
  156. image: drone/drone-runner-docker:1
  157. volumes:
  158. - /var/run/docker.sock:/var/run/docker.sock
  159. environment:
  160. - DRONE_RPC_PROTO=https
  161. - DRONE_RPC_HOST=${DRONE_SERVER_HOST}
  162. - DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
  163. - DRONE_RUNNER_CAPACITY=8
  164. - DRONE_RUNNER_NAME="docker-runner"
  165. drone-starlark:
  166. # drone starlark server converts starlark to yaml
  167. deploy:
  168. placement:
  169. constraints: [node.labels.com.sigyl.git-stack == yes]
  170. replicas: 1
  171. restart_policy:
  172. condition: any
  173. image: ${LOCAL_DOCKER_REGISTRY}drone-starlark
  174. environment:
  175. - DRONE_DEBUG=true
  176. - DRONE_SECRET=${DRONE_CONVERT_SECRET}
  177. - DRONE_STARLARK_REPO_PATHS=this:/repos
  178. - SIGYL_STACK_NAME=$SIGYL_STACK_NAME
  179. - SIGYL_STACK_ROOT=$SIGYL_STACK_ROOT
  180. networks:
  181. - appnet
  182. registry:
  183. # internal registry
  184. deploy:
  185. placement:
  186. constraints: [node.labels.com.sigyl.git-stack == yes]
  187. replicas: 1
  188. restart_policy:
  189. condition: any
  190. image: registry:2
  191. volumes:
  192. - registry-data:/var/lib/registry
  193. environment:
  194. - REGISTRY_HTTP_ADDR=0.0.0.0:5000
  195. - REGISTRY_HTTP_TLS_CERTIFICATE="/run/secrets/registry-cert"
  196. - REGISTRY_HTTP_TLS_KEY="/run/secrets/registry-key"
  197. networks:
  198. - appnet
  199. secrets:
  200. - registry-cert
  201. - registry-key
  202. ports:
  203. - 5003:5000
  204. registry-1:
  205. # internal registry #1 (why?)
  206. deploy:
  207. placement:
  208. constraints: [node.labels.com.sigyl.git-stack == yes]
  209. replicas: 1
  210. restart_policy:
  211. condition: any
  212. image: registry:2
  213. volumes:
  214. - registry-data:/var/lib/registry
  215. environment:
  216. - REGISTRY_HTTP_ADDR=0.0.0.0:5000
  217. networks:
  218. - appnet
  219. registry-cache:
  220. # registry cache (used?)
  221. deploy:
  222. placement:
  223. constraints: [node.labels.com.sigyl.git-stack == yes]
  224. replicas: 1
  225. restart_policy:
  226. condition: any
  227. image: registry:2
  228. ports:
  229. - 5002:5001
  230. volumes:
  231. - registry-cache-data:/var/lib/registry
  232. environment:
  233. - REGISTRY_HTTP_ADDR=0.0.0.0:5001
  234. - REGISTRY_HTTP_TLS_CERTIFICATE="/run/secrets/registry-cert"
  235. - REGISTRY_HTTP_TLS_KEY="/run/secrets/registry-key"
  236. - REGISTRY_PROXY_REMOTEURL=http://registry-1.docker.io
  237. networks:
  238. - appnet
  239. secrets:
  240. - registry-cert
  241. - registry-key
  242. ghost:
  243. # ghost blog
  244. deploy:
  245. placement:
  246. constraints: [node.labels.com.sigyl.git-stack == yes]
  247. replicas: 1
  248. restart_policy:
  249. condition: any
  250. image: ${LOCAL_DOCKER_REGISTRY}ghost
  251. volumes:
  252. - ghost-content-images:/var/lib/ghost/content/images
  253. - ghost-content-settings:/var/lib/ghost/content/settings
  254. - ghost-content-adapters:/var/lib/ghost/content/adapters
  255. - ghost-content:/var/lib/ghost/content/old-content
  256. environment:
  257. - GIT_DOMAIN=$GIT_DOMAIN
  258. - GHOST-MAIL-SERVICE=$GHOST-MAIL-SERVICE
  259. - GHOST-MAIL-USER=$GHOST-MAIL-USER
  260. - GHOST-MAIL-PASSWORD=$GHOST-MAIL-PASSWORD
  261. - COMMENTO_ORIGIN=$COMMENTO_ORIGIN
  262. - database__client=mysql
  263. - database__connection__host=ghost-mysql
  264. database__connection__user=root
  265. database__connection__password=$GHOST_MYSQL_ROOT_PASSWORD
  266. database__connection__database=ghost
  267. networks:
  268. - appnet
  269. ghost-mysql:
  270. image: mysql:5.7
  271. deploy:
  272. placement:
  273. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  274. replicas: 1
  275. restart_policy:
  276. condition: any
  277. volumes:
  278. - ghost-data:/var/lib/mysql
  279. environment:
  280. MYSQL_ROOT_PASSWORD: $GHOST_MYSQL_ROOT_PASSWORD
  281. networks:
  282. - appnet
  283. commento:
  284. deploy:
  285. placement:
  286. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  287. replicas: 1
  288. restart_policy:
  289. condition: any
  290. image: registry.gitlab.com/commento/commento:latest
  291. environment:
  292. COMMENTO_ORIGIN: $COMMENTO_ORIGIN
  293. COMMENTO_SMTP_PASSWORD: $COMMENTO_SMTP_PASSWORD
  294. COMMENTO_ASKIMET_KEY: $COMMENTO_ASKIMET_KEY
  295. COMMENTO_SMTP_HOST: $COMMENTO_SMTP_HOST
  296. COMMENTO_SMTP_PORT: $COMMENTO_SMTP_PORT
  297. COMMENTO_SMTP_USERNAME: $COMMENTO_SMTP_USERNAME
  298. COMMENTO_SMTP_FROM_ADDRESS: $COMMENTO_SMTP_FROM_ADDRESS
  299. COMMENTO_GITHUB_KEY: $COMMENTO_GITHUB_KEY
  300. COMMENTO_GITHUB_SECRET: $COMMENTO_GITHUB_SECRET
  301. COMMENTO_FORBID_NEW_OWNERS: $COMMENTO_FORBID_NEW_OWNERS
  302. COMMENTO_PORT: 8080
  303. COMMENTO_POSTGRES: postgres://${COMMENTO_POSTGRES_USER}:${COMMENTO_POSTGRES_PASSWORD}@commento-postgres:5432/${COMMENTO_POSTGRES_DB}?sslmode=disable
  304. networks:
  305. - appnet
  306. commento-postgres:
  307. deploy:
  308. placement:
  309. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  310. replicas: 1
  311. restart_policy:
  312. condition: any
  313. image: postgres:11-alpine
  314. environment:
  315. POSTGRES_DB: ${COMMENTO_POSTGRES_DB}
  316. POSTGRES_USER: ${COMMENTO_POSTGRES_USER}
  317. POSTGRES_PASSWORD: ${COMMENTO_POSTGRES_PASSWORD}
  318. networks:
  319. - appnet
  320. volumes:
  321. - commento-postgresql-data:/var/lib/postgresql/data
  322. guacamole-postgresql:
  323. # database for guacamole
  324. deploy:
  325. placement:
  326. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  327. replicas: 1
  328. restart_policy:
  329. condition: any
  330. image: ${LOCAL_DOCKER_REGISTRY}guacamole-postgresql:latest
  331. environment:
  332. POSTGRES_PASSWORD: ${GUACAMOLE_POSTGRES_PASSWORD}
  333. POSTGRES_DB: ${GUACAMOLE_POSTGRES_DB}
  334. volumes:
  335. - guacamole-postgresql-data:/var/lib/postgresql/data
  336. networks:
  337. - appnet
  338. nagios:
  339. image: jasonrivers/nagios:latest
  340. deploy:
  341. placement:
  342. constraints: [node.labels.com.sigyl.git-stack == yes]
  343. replicas: 1
  344. restart_policy:
  345. condition: any
  346. environment:
  347. - NAGIOSADMIN_USER=${NAGIOS_ADMIN_USER}
  348. - NAGIOSADMIN_PASS=${NAGIOS_ADMIN_PASSWORD}
  349. volumes:
  350. - ./nagios/conf.d:/opt/nagios/etc/conf.d/
  351. - ./nagios/contacts/contacts.cfg:/opt/nagios/etc/objects/contacts.cfg
  352. networks:
  353. - appnet
  354. matomo:
  355. image: matomo:fpm-alpine
  356. deploy:
  357. placement:
  358. constraints: [node.labels.com.sigyl.git-stack == yes]
  359. replicas: 1
  360. restart_policy:
  361. condition: any
  362. volumes:
  363. # - ./config:/var/www/html/config:rw
  364. # - ./logs:/var/www/html/logs
  365. - matomo:/var/www/html
  366. environment:
  367. - MATOMO_DATABASE_HOST=matomo-mariadb
  368. - MYSQL_PASSWORD=${MATOMO_MYSQL_PASSWORD}
  369. - MYSQL_DATABASE=matomo
  370. - MYSQL_USER=matomo
  371. - MATOMO_DATABASE_ADAPTER=mysql
  372. - MATOMO_DATABASE_TABLES_PREFIX=matomo_
  373. - MATOMO_DATABASE_USERNAME=matomo
  374. - MATOMO_DATABASE_PASSWORD=${MATOMO_MYSQL_PASSWORD}
  375. - MATOMO_DATABASE_DBNAME=matomo
  376. networks:
  377. - appnet
  378. matomo-web:
  379. image: nginx:alpine
  380. deploy:
  381. placement:
  382. constraints: [node.labels.com.sigyl.git-stack == yes]
  383. replicas: 1
  384. restart_policy:
  385. condition: any
  386. volumes:
  387. - matomo:/var/www/html:ro
  388. # see https://github.com/matomo-org/matomo-nginx
  389. - ./matomo/matomo.conf:/etc/nginx/conf.d/default.conf:ro
  390. networks:
  391. - appnet
  392. matomo-mariadb:
  393. deploy:
  394. placement:
  395. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  396. replicas: 1
  397. restart_policy:
  398. condition: any
  399. image: mariadb:10
  400. command: --max-allowed-packet=128MB
  401. networks:
  402. - appnet
  403. volumes:
  404. - matomo-mariadb:/var/lib/mysql
  405. environment:
  406. MYSQL_ROOT_PASSWORD: ${MATOMO_MYSQL_ROOT_PASSWORD}
  407. MYSQL_USER: matomo
  408. MYSQL_DATABASE: matomo
  409. MYSQL_PASSWORD: ${MATOMO_MYSQL_PASSWORD}
  410. zabbix-mariadb:
  411. deploy:
  412. placement:
  413. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  414. replicas: 1
  415. restart_policy:
  416. condition: any
  417. image: mariadb:10
  418. command: --max-allowed-packet=128MB
  419. networks:
  420. - appnet
  421. volumes:
  422. - zabbix-mariadb:/var/lib/mysql
  423. environment:
  424. MYSQL_ROOT_PASSWORD: ${ZABBIX_MYSQL_ROOT_PASSWORD}
  425. MYSQL_USER: zabbix
  426. MYSQL_DATABASE: zabbix
  427. MYSQL_PASSWORD: ${ZABBIX_MYSQL_PASSWORD}
  428. zabbix-server:
  429. deploy:
  430. placement:
  431. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  432. replicas: 1
  433. restart_policy:
  434. condition: any
  435. image: zabbix/zabbix-server-mysql
  436. networks:
  437. - appnet
  438. environment:
  439. DB_SERVER_HOST: zabbix-mariadb
  440. MYSQL_USER: zabbix
  441. MYSQL_PASSWORD: ${ZABBIX_MYSQL_PASSWORD}
  442. networks:
  443. - appnet
  444. ports:
  445. - 10050:10050
  446. - 10051:10051
  447. zabbix-web:
  448. deploy:
  449. placement:
  450. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  451. replicas: 1
  452. restart_policy:
  453. condition: any
  454. image: zabbix/zabbix-web-nginx-mysql
  455. networks:
  456. - appnet
  457. environment:
  458. DB_SERVER_HOST: zabbix-mariadb
  459. MYSQL_USER: zabbix
  460. MYSQL_PASSWORD: ${ZABBIX_MYSQL_PASSWORD}
  461. ZBX_SERVER_HOST: zabbix-server
  462. PHP_TZ: Europe/London
  463. # The backend guacamole server.
  464. guacd:
  465. deploy:
  466. placement:
  467. constraints: [node.labels.com.sigyl.git-stack == yes]
  468. replicas: 1
  469. restart_policy:
  470. condition: any
  471. image: guacamole/guacd:latest
  472. networks:
  473. - appnet
  474. guacamole:
  475. deploy:
  476. placement:
  477. constraints: [node.labels.com.sigyl.git-stack == yes]
  478. replicas: 1
  479. restart_policy:
  480. condition: any
  481. image: guacamole/guacamole:latest
  482. environment:
  483. - POSTGRES_HOSTNAME=guacamole-postgresql
  484. - POSTGRES_PORT=5432
  485. - POSTGRES_USER=${GUACAMOLE_POSTGRES_USER}
  486. - POSTGRES_PASSWORD=${GUACAMOLE_POSTGRES_PASSWORD}
  487. - POSTGRES_DATABASE=${GUACAMOLE_POSTGRES_DB}
  488. - GUACD_HOSTNAME=guacd
  489. networks:
  490. - appnet
  491. chat:
  492. deploy:
  493. placement:
  494. constraints: [node.labels.com.sigyl.git-stack == yes]
  495. replicas: 0 # will scale after mongo initated
  496. restart_policy:
  497. condition: any
  498. image: rocketchat/rocket.chat:3.0.7
  499. networks:
  500. - appnet
  501. environment:
  502. - MONGO_OPLOG_URL=mongodb://chat-mongo:27017/local
  503. - ROOT_URL=https://${GIT_DOMAIN}/chat
  504. - PORT=3000
  505. - MONGO_URL=mongodb://chat-mongo:27017/rocketchat
  506. - ADMIN_USERNAME=${CHAT_ADMIN_NAME}
  507. - ADMIN_PASS=${CHAT_ADMIN_PASSWORD}
  508. - ADMIN_EMAIL=${CHAT_ADMIN_EMAIL}
  509. volumes:
  510. - chat-uploads:/app/uploads
  511. chat-mongo:
  512. deploy:
  513. placement:
  514. constraints: [node.labels.com.sigyl.git-stack-data == yes]
  515. replicas: 1
  516. restart_policy:
  517. condition: any
  518. image: mongo:4.0
  519. networks:
  520. - appnet
  521. environment:
  522. - MONGO_DATA_DIR=/data/db
  523. - MONGO_LOG_DIR=/dev/null
  524. volumes:
  525. - mongo-chat:/data/db
  526. command: mongod --smallfiles --replSet rs0 --oplogSize 128
  527. portainer:
  528. image: portainer/portainer:1.23.2
  529. command: -H tcp://tasks.portainer-agent:9001 --tlsskipverify
  530. # command: -H unix:///var/run/docker.sock
  531. deploy:
  532. replicas: 1
  533. placement:
  534. constraints: [node.role == manager]
  535. restart_policy:
  536. condition: any
  537. volumes:
  538. - /var/run/docker.sock:/var/run/docker.sock
  539. - portainer-data:/data
  540. networks:
  541. #- proxy
  542. - appnet
  543. portainer-agent:
  544. image: portainer/agent:1.5.1
  545. environment:
  546. # REQUIRED: Should be equal to the service name prefixed by "tasks." when
  547. # deployed inside an overlay network
  548. AGENT_CLUSTER_ADDR: tasks.portainer-agent
  549. # AGENT_PORT: 9001
  550. # LOG_LEVEL: debug
  551. volumes:
  552. - /var/run/docker.sock:/var/run/docker.sock
  553. - /var/lib/docker/volumes:/var/lib/docker/volumes
  554. networks:
  555. - appnet
  556. deploy:
  557. mode: global
  558. placement:
  559. constraints: [node.platform.os == linux]
  560. volumes:
  561. gitea-app:
  562. drone:
  563. drone-data:
  564. registry-data:
  565. registry-cache-data:
  566. guacamole-postgresql-data:
  567. commento-postgresql-data:
  568. letsencrypt-git:
  569. letsencrypt-drone:
  570. ghost-content:
  571. ghost-data:
  572. ghost-content-adapters:
  573. ghost-content-settings:
  574. ghost-content-images:
  575. mongo-chat:
  576. chat-uploads:
  577. portainer-data:
  578. matomo:
  579. matomo-mariadb:
  580. zabbix-mariadb:
  581. networks:
  582. appnet:
  583. driver: overlay
  584. #external: true
  585. secrets:
  586. 'registry-cert':
  587. file: .certificates/registry.crt
  588. 'registry-key':
  589. file: .certificates/registry.key