some fixes

README.md

@@ -6,32 +6,41 @@ This document provides a minimal, engineer‑oriented guide to deploy Harbor on
 
 1. **Update base system**
    ```bash
-   sudo dnf update -y
+   sudo -i
+   dnf update -y
    ```
 
 2. **Enable EPEL and install dependencies**
    ```bash
-   sudo dnf install -y epel-release
-   sudo dnf install -y \
+   dnf install -y epel-release
+   dnf install -y \
      podman podman-docker buildah podman-compose \
-     python3-pip wget tar gzip \
+     python3-pip wget tar gzip git \
      policycoreutils-python-utils
    ```
 
-3. **Enable Podman socket**
+3. **Configure Podman**
+   - Basic settings
    ```bash
-   sudo systemctl enable --now podman.socket
+   systemctl enable --now podman.socket
+   sed -i 's/unqualified-search-registries = \["registry.access.redhat.com", "registry.redhat.io", "docker.io"\]/unqualified-search-registries = ["docker.io"]/g' /etc/containers/registries.conf
    ```
-
-4. **SELinux configuration**
    - Allow containers to manage cgroups:
      ```bash
-     sudo setsebool -P container_manage_cgroup true
+     setsebool -P container_manage_cgroup true
      ```
-   - Label persistent data directory:
+
+4. **Clone your Git repository**
+   ```bash
+   cd /opt
+   git clone ssh://git@code.swissmakers.ch:6022/michael.reber/harbor-podman.git
+   ```
+
+5. **SELinux configuration**
+   - Set the correct label on persistent data directory:
      ```bash
-     sudo semanage fcontext -a -t svirt_sandbox_file_t "/opt/harbor-podman(/.*)?"
-     sudo restorecon -R /opt/harbor-podman
+     semanage fcontext -a -t svirt_sandbox_file_t "/opt/harbor-podman(/.*)?"
+     restorecon -R /opt/harbor-podman
      ```
 
 5. **Firewall (firewalld)**
@@ -39,40 +48,12 @@ This document provides a minimal, engineer‑oriented guide to deploy Harbor on
    sudo firewall-cmd --add-port=443/tcp
    sudo firewall-cmd --add-port=443/tcp --permanent
    ```
-
-## 2. Repository Setup
-
-1. **Create target directory**
-   ```bash
-   sudo mkdir -p /opt/harbor-podman
-   ```
-
-2. **Clone your Git repository**
-   ```bash
-   cd /opt/harbor-podman
-   git clone ssh://git@code.swissmakers.ch:6022/michael.reber/harbor-podman.git .
-   ```
-
-3. **Prepare `harbor.yml`**
-   - Copy template:
-     ```bash
-     cp harbor.yml.tmpl harbor.yml
-     ```
-   - Update hostname:
-     ```bash
-     sed -i 's|^hostname:.*|hostname: harbor.swissmakers.ch|' harbor.yml
-     ```
-   - Set data volume path:
-     ```bash
-     sed -i 's|^data_volume: .*|data_volume: /opt/harbor-podman|' harbor.yml
-     ```
-
 ## 3. TLS Certificate Generation
 
 Generate a self‑signed certificate valid for 10 years:
 ```bash
-sudo mkdir -p /opt/harbor-podman/cert
-sudo openssl req -newkey rsa:4096 -nodes -x509 -days 3650 \
+mkdir -p /opt/harbor-podman/cert
+openssl req -newkey rsa:4096 -nodes -x509 -days 3650 \
   -subj "/C=CH/ST=Bern/L=Bern/O=Swissmakers/CN=harbor.swissmakers.ch" \
   -keyout /opt/harbor-podman/cert/harbor.key \
   -out    /opt/harbor-podman/cert/harbor.crt
@@ -80,38 +61,34 @@ sudo openssl req -newkey rsa:4096 -nodes -x509 -days 3650 \
 
 Apply ownership:
 ```bash
-sudo chown -R 1000:1000 /opt/harbor-podman
+chown -R 1000:1000 /opt/harbor-podman
 ```
 
-Inject cert paths into `harbor.yml`:
-```bash
-sed -i "s|^\(certificate:\).*|\1 /opt/harbor-podman/cert/harbor.crt|" harbor.yml
-sed -i "s|^\(private_key:\).*|\1 /opt/harbor-podman/cert/harbor.key|" harbor.yml
-```
+## 4. Prepare harbor.yml and set passwords
 
-## 4. Credentials Hardening
-
-Generate random passwords for admin and database:
-```bash
-sed -i "s|^harbor_admin_password:.*|harbor_admin_password: \"$(openssl rand -base64 30)\"|" harbor.yml
-
-# Update DB password under `database:` block (two lines below):
-sed -i "/^database:/ { n; n; s|^  password:.*|  password: \"$(openssl rand -base64 30)\"| }" harbor.yml
-```
+   - Copy template:
+     ```bash
+     cd /opt/harbor-podman
+     cp harbor.yml.tmpl harbor.yml
+     ```
+   - Update Harbor hostname:
+     ```bash
+     sed -i 's|^hostname:.*|hostname: harbor.swissmakers.ch|' harbor.yml
+     ```
+   - Generate random passwords for admin and database:
+   ```bash
+   sed -i "s|^harbor_admin_password:.*|harbor_admin_password: \"$(openssl rand -base64 30)\"|" harbor.yml
+   sed -i "/^database:/ { n; n; s|^  password:.*|  password: \"$(openssl rand -base64 30)\"| }" harbor.yml
+   ```
 
 ## 5. Run the modified Installer for Podman
 
-1. **Ensure installer picks up bundle directory**
-   ```bash
-   export HARBOR_BUNDLE_DIR=/opt/harbor-podman
-   ```
-
-2. **Run it with or without included trivy-setup**
+1. **Run it with or without included trivy-setup**
    ```bash
    ./install.sh --with-trivy
    ```
 
-3. **Verify**
+2. **Verify**
    ```bash
    podman ps -a
    podman logs harbor-core

harbor.yml.tmpl

@@ -14,8 +14,8 @@ https:
   # https port for harbor, default is 443
   port: 443
   # The path of cert and key files for nginx
-  certificate: /your/certificate/path
-  private_key: /your/private/key/path
+  certificate: /opt/harbor-podman/cert/harbor.crt
+  private_key: /opt/harbor-podman/cert/harbor.key
   # enable strong ssl ciphers (default: false)
   # strong_ssl_ciphers: false
 
@@ -63,7 +63,7 @@ database:
   conn_max_idle_time: 0
 
 # The default data volume
-data_volume: /data
+data_volume: /opt/harbor-podman
 
 # Harbor Storage settings by default is using /data dir on local filesystem
 # Uncomment storage_service setting If you want to using external storage

install.sh

@@ -36,6 +36,8 @@ while [ $# -gt 0 ]; do
 done
 
 workdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+export HARBOR_BUNDLE_DIR=/opt/harbor-podman
+
 cd $workdir
 
 mkdir -p common/config