feat(gpu-box): add verdaccio service + bundle config in repo

Phase 2f-1: verdaccio (npm.mana.how) was the heaviest non-hot-path service still left on the Mini after Phase 2 — read-mostly registry that ci/local pnpm-installs hit, latency-unkritisch. Moved into infrastructure/docker-compose.gpu-box.yml. Storage volume content (@mana/* packages + htpasswd) migrated via tar-stream. Config came from the mana-platform repo's infrastructure/verdaccio/config.yaml. Copied into mana-monorepo so the GPU-Box's sparse-clone (already pulling scripts/ + packages/shared-branding) can also bind-mount it without needing a second repo on the box. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 18:01:09 +02:00 · 2026-05-07 15:54:37 +02:00 · 2026-05-07 15:54:37 +02:00 · 6e40546119
commit 6e40546119
parent 0686300243
2 changed files with 116 additions and 0 deletions
--- a/infrastructure/docker-compose.gpu-box.yml
+++ b/infrastructure/docker-compose.gpu-box.yml
@ -485,9 +485,38 @@ services:
      retries: 3
      start_period: 30s

+  # ============================================
+  # Phase 2f-1 — Verdaccio npm-Registry (2026-05-07)
+  # @mana/* private packages. Migrated from Mini (was in mana-platform
+  # repo's infrastructure/docker-compose.macmini.yml). Read-heavy bei
+  # CI-Builds, latency-unkritisch — perfekt für GPU-Box-Hosting. Config
+  # lebt jetzt in mana-monorepo's infrastructure/verdaccio/config.yaml,
+  # sparse-clone trägt das Verzeichnis auf der GPU-Box ein.
+  # ============================================
+  verdaccio:
+    image: verdaccio/verdaccio:6
+    container_name: mana-verdaccio
+    restart: unless-stopped
+    ports:
+      - '4873:4873'
+    environment:
+      VERDACCIO_PORT: 4873
+    volumes:
+      - /srv/mana/source/infrastructure/verdaccio/config.yaml:/verdaccio/conf/config.yaml:ro
+      - verdaccio-storage:/verdaccio/storage
+      - verdaccio-plugins:/verdaccio/plugins
+    healthcheck:
+      test: ['CMD', 'wget', '--quiet', '--tries=1', '--spider', 'http://localhost:4873/-/ping']
+      interval: 60s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+
 volumes:
  glitchtip-pg-data:
  status-output:
+  verdaccio-storage:
+  verdaccio-plugins:
  mana-grafana-data:
  victoriametrics-data:
  loki-data:
--- a/infrastructure/verdaccio/config.yaml
+++ b/infrastructure/verdaccio/config.yaml
@ -0,0 +1,87 @@
+# Verdaccio config — mana e.V. private npm registry.
+# Docs: https://verdaccio.org/docs/configuration
+#
+# Storage layout (writable inside the container):
+#   /verdaccio/storage   — Tar.gz pro Paket-Version + Index-JSONs
+#   /verdaccio/htpasswd  — bcrypt-gehashte User-Credentials
+
+storage: /verdaccio/storage
+plugins: /verdaccio/plugins
+
+# Network address Verdaccio listens on. Inside the container always 0.0.0.0;
+# the host binding (4873) is configured in docker-compose.
+listen: 0.0.0.0:4873
+
+# --- Web UI -----------------------------------------------------------
+web:
+  title: mana e.V. — npm registry
+  gravatar: false
+  scope: '@mana'
+
+# --- Authentication ---------------------------------------------------
+# htpasswd file lives in the storage volume so it survives container
+# restarts. Add users with:
+#   docker exec mana-verdaccio htpasswd -B /verdaccio/htpasswd <user>
+#
+# `max_users: -1` disables web-based self-registration. Users come in
+# only via htpasswd (admin-controlled).
+auth:
+  htpasswd:
+    # Lives inside the storage volume so it survives restarts and gets
+    # backed up with the rest of the registry state.
+    file: /verdaccio/storage/htpasswd
+    # No new self-registration. Add users by inserting a row into
+    # htpasswd manually (`docker exec mana-verdaccio htpasswd -B …`)
+    # or by flipping this to a positive value briefly.
+    max_users: -1
+
+# --- Public-package proxying -----------------------------------------
+# Verdaccio fetches `hono`, `react`, etc. from npmjs.org on first request
+# and caches them in the storage volume. Speeds up subsequent installs
+# and gives us continuity if npmjs.org is down.
+uplinks:
+  npmjs:
+    url: https://registry.npmjs.org/
+    cache: true
+    timeout: 30s
+
+# --- Access control ---------------------------------------------------
+# Pattern matching is first-match. Order matters: @mana/* before **
+#
+# `$authenticated` = user logged in via htpasswd
+# `$all`           = anyone (public anonymous reads)
+#
+# Our policy:
+#   @mana/*  — only authenticated users can read or publish
+#   **       — authenticated users can install (proxied from npmjs)
+#              and the registry never serves these to anonymous reads
+#              either (we don't run an open mirror for the public)
+packages:
+  '@mana/*':
+    access: $authenticated
+    publish: $authenticated
+    unpublish: $authenticated
+    proxy: # not proxied — we own the namespace
+
+  '**':
+    access: $authenticated
+    publish: $authenticated
+    proxy: npmjs
+
+# --- Logging ----------------------------------------------------------
+# Console-only — Docker captures it. For long-term audit (DSGVO Art. 30
+# claim of code-provenance) we'd add file logging in production.
+log: { type: stdout, format: pretty, level: http }
+
+# --- Security -----------------------------------------------------------
+security:
+  api:
+    legacy: true
+  web:
+    sign:
+      expiresIn: 7d
+    verify:
+      someProp: someValue
+
+# --- Limits -----------------------------------------------------------
+max_body_size: 50mb