taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 09:10:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: rewrite README — new slogan, roadmap, trim TLS/FSTEC, fix config example

Browse Source
This commit is contained in:
devitway
2026-03-16 07:39:43 +00:00
parent bbff337b4c
commit 9c8fee5a5d
1 changed files with 24 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
README.md
View File

@@ -7,11 +7,11 @@
[![Docs](https://img.shields.io/badge/docs-getnora.dev-green?logo=gitbook)](https://getnora.dev) [![Docs](https://img.shields.io/badge/docs-getnora.dev-green?logo=gitbook)](https://getnora.dev)
[![Telegram](https://img.shields.io/badge/Telegram-Community-blue?logo=telegram)](https://t.me/getnora) [![Telegram](https://img.shields.io/badge/Telegram-Community-blue?logo=telegram)](https://t.me/getnora)
> **Your Cloud-Native Artifact Registry** > **Multi-protocol artifact registry that doesn't suck.**
>
> One binary. All protocols. Stupidly fast.
Fast. Organized. Feel at Home. **32 MB** binary | **< 100 MB** RAM | **3s** startup | **5** protocols
**10x faster** than Nexus | **< 100 MB RAM** | **32 MB Docker image**
## Features ## Features
@@ -160,9 +160,14 @@ path = "data/storage"
enabled = false enabled = false
htpasswd_file = "users.htpasswd" htpasswd_file = "users.htpasswd"
[docker]
proxy_timeout = 60
[[docker.upstreams]]
url = "https://registry-1.docker.io"
``` ```
See [full config reference](https://getnora.dev/configuration/settings/) for rate limiting, secrets, and proxy settings. See [full config reference](https://getnora.dev/configuration/settings/) for rate limiting, secrets, proxy auth, and all options.
## Endpoints ## Endpoints
@@ -181,20 +186,7 @@ See [full config reference](https://getnora.dev/configuration/settings/) for rat
## TLS / HTTPS ## TLS / HTTPS
NORA serves plain HTTP by design. **TLS is intentionally not built into the binary** — this is a deliberate architectural decision: NORA serves plain HTTP. Use a reverse proxy for TLS:
- **Single responsibility**: NORA manages artifacts, not certificates. Embedding TLS means bundling Let's Encrypt clients, certificate renewal logic, ACME challenges, and custom CA support — all of which already exist in battle-tested tools.
- **Operational simplicity**: One place for certificates (reverse proxy), not scattered across every service. When a cert expires, you fix it in one config — not in NORA, Grafana, GitLab, and every other service separately.
- **Industry standard**: Docker Hub, GitHub Container Registry, AWS ECR, Harbor, Nexus — none of them terminate TLS in the registry process. A reverse proxy in front is the universal pattern.
- **Zero-config internal use**: On trusted networks (lab, CI/CD), NORA works out of the box without generating self-signed certs or managing keystores.
### Production (recommended): reverse proxy with auto-TLS
```
Client → Caddy/Nginx (HTTPS, port 443) → NORA (HTTP, port 4000)
```
Caddy example:
``` ```
registry.example.com { registry.example.com {
@@ -202,27 +194,7 @@ registry.example.com {
} }
``` ```
Nginx example: For internal networks without TLS, configure Docker:
```nginx
server {
listen 443 ssl;
server_name registry.example.com;
ssl_certificate /etc/letsencrypt/live/registry.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/registry.example.com/privkey.pem;
client_max_body_size 0; # unlimited for large image pushes
location / {
proxy_pass http://127.0.0.1:4000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
### Internal / Lab: insecure registry
If you run NORA without TLS (e.g., on a private network), configure Docker to trust it:
```json ```json
// /etc/docker/daemon.json // /etc/docker/daemon.json
@@ -231,24 +203,11 @@ If you run NORA without TLS (e.g., on a private network), configure Docker to tr
} }
``` ```
Then restart Docker: See [TLS / HTTPS guide](https://getnora.dev/configuration/tls/) for Nginx, Traefik, and custom CA setup.
```bash
sudo systemctl restart docker
```
> **Note:** `insecure-registries` disables TLS verification for that host. Use only on trusted networks.
## FSTEC-Certified OS Builds ## FSTEC-Certified OS Builds
NORA provides dedicated Dockerfiles for Russian FSTEC-certified operating systems: Dedicated builds for Astra Linux SE and RED OS are published as `-astra` and `-redos` tagged images in every [GitHub Release](https://github.com/getnora-io/nora/releases). Both use `scratch` base with statically-linked binary.
- `Dockerfile.astra` — Astra Linux SE (for government and defense sector)
- `Dockerfile.redos` — RED OS (for enterprise and public sector)
Both use `scratch` base with statically-linked binary for minimal attack surface. Comments in each file show how to switch to official distro base images if required by your security policy.
These builds are published as `-astra` and `-redos` tagged images in GitHub Releases.
## Performance ## Performance
@@ -258,6 +217,16 @@ These builds are published as `-astra` and `-redos` tagged images in GitHub Rele
| Memory | < 100 MB | 2-4 GB | 2-4 GB | | Memory | < 100 MB | 2-4 GB | 2-4 GB |
| Image Size | 32 MB | 600+ MB | 1+ GB | | Image Size | 32 MB | 600+ MB | 1+ GB |
## Roadmap
- **OIDC / Workload Identity** — zero-secret auth for GitHub Actions, GitLab CI
- **Online Garbage Collection** — non-blocking cleanup without registry downtime
- **Retention Policies** — declarative rules: keep last N tags, delete older than X days
- **Image Signing** — cosign/notation verification and policy enforcement
- **Replication** — push/pull sync between NORA instances
See [CHANGELOG.md](CHANGELOG.md) for release history.
## Author ## Author
**Created and maintained by [DevITWay](https://github.com/devitway)** **Created and maintained by [DevITWay](https://github.com/devitway)**