add mautrix registry

Crow-Control · Crow-Control · commit 7c7058775f69 · 2026-02-18T13:33:20.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - **Compose-native auto-compose discovery** — Added `dd.compose.native` / `wud.compose.native` container labels to enable deriving compose file paths from native Compose labels (`com.docker.compose.project.config_files` + `com.docker.compose.project.working_dir`) when `dd.compose.file` is not set. This requires the resolved compose path to exist inside the drydock container (same path context used by `docker compose`).
 - **Watcher-wide compose-native default** — Added `DD_WATCHER_{name}_COMPOSE_NATIVE=true` to enable compose-native path discovery for all containers watched by a Docker watcher, with per-container `dd.compose.native` still taking precedence.
+- **MAU registry provider (`dock.mau.dev`)** — Added a GitLab-based `mau` registry provider with token auth support. It is auto-registered as `mau.public` by default for public access and can also be configured as private via `DD_REGISTRY_MAU_{name}_TOKEN`.
 
 ### Fixed
 
diff --git a/README.md b/README.md
@@ -323,6 +323,7 @@ See full configuration in [`docs/configuration/security/README.md`](docs/configu
 | Google Artifact Registry | `gar` | `*-docker.pkg.dev` |
 | Quay | `quay` | `quay.io` |
 | LinuxServer (LSCR) | `lscr` | `lscr.io` |
+| MAU | `mau` | `dock.mau.dev` |
 | DigitalOcean | `docr` | `registry.digitalocean.com` |
 | Codeberg | `codeberg` | `codeberg.org` |
 | DHI | `dhi` | `dhi.io` |
@@ -344,6 +345,7 @@ See full configuration in [`docs/configuration/security/README.md`](docs/configu
 | GitLab | `gitlab` | `DD_REGISTRY_GITLAB_{name}_TOKEN` |
 | GitHub (GHCR) | `ghcr` | `DD_REGISTRY_GHCR_{name}_TOKEN` |
 | Gitea / Forgejo | `gitea` | `DD_REGISTRY_GITEA_{name}_LOGIN`, `_PASSWORD` |
+| MAU Registry (GitLab-based) | `mau` | `DD_REGISTRY_MAU_{name}_TOKEN` |
 | Harbor | `harbor` | `DD_REGISTRY_HARBOR_{name}_URL`, `_LOGIN`, `_PASSWORD` |
 | JFrog Artifactory | `artifactory` | `DD_REGISTRY_ARTIFACTORY_{name}_URL`, `_LOGIN`, `_PASSWORD` |
 | Sonatype Nexus | `nexus` | `DD_REGISTRY_NEXUS_{name}_URL`, `_LOGIN`, `_PASSWORD` |
diff --git a/app/registries/providers/mau/Mau.test.ts b/app/registries/providers/mau/Mau.test.ts
@@ -0,0 +1,156 @@
+// @ts-nocheck
+import axios from 'axios';
+import Mau from './Mau.js';
+
+const TEST_TOKEN = 'abcdef';
+
+const mau = new Mau();
+mau.configuration = {
+  url: 'https://dock.mau.dev',
+  authurl: 'https://dock.mau.dev',
+  token: TEST_TOKEN,
+};
+
+vi.mock('axios');
+
+test('validatedConfiguration should initialize when configuration is empty string', async () => {
+  expect(mau.validateConfiguration('')).toStrictEqual({});
+});
+
+test('validatedConfiguration should initialize when configuration is valid', async () => {
+  expect(
+    mau.validateConfiguration({
+      token: TEST_TOKEN,
+    }),
+  ).toStrictEqual({
+    url: 'https://dock.mau.dev',
+    authurl: 'https://dock.mau.dev',
+    token: TEST_TOKEN,
+  });
+});
+
+test('maskConfiguration should mask token', async () => {
+  expect(mau.maskConfiguration()).toEqual({
+    url: 'https://dock.mau.dev',
+    authurl: 'https://dock.mau.dev',
+    token: 'a****f',
+  });
+});
+
+test('match should return true for dock.mau.dev', async () => {
+  expect(
+    mau.match({
+      registry: {
+        url: 'dock.mau.dev',
+      },
+    }),
+  ).toBeTruthy();
+});
+
+test('match should return true for subdomains of dock.mau.dev', async () => {
+  expect(
+    mau.match({
+      registry: {
+        url: 'registry.dock.mau.dev',
+      },
+    }),
+  ).toBeTruthy();
+});
+
+test('match should return false for other registries', async () => {
+  expect(
+    mau.match({
+      registry: {
+        url: 'registry.gitlab.com',
+      },
+    }),
+  ).toBeFalsy();
+});
+
+test('authenticate should perform request with token auth when token is configured', async () => {
+  axios.mockImplementation(() => ({
+    data: {
+      token: 'token',
+    },
+  }));
+
+  await expect(
+    mau.authenticate(
+      { name: 'team/image' },
+      {
+        headers: {},
+      },
+    ),
+  ).resolves.toEqual({ headers: { Authorization: 'Bearer token' } });
+
+  expect(axios).toHaveBeenCalledWith(
+    expect.objectContaining({
+      headers: expect.objectContaining({
+        Authorization: `Basic ${Buffer.from(`:${TEST_TOKEN}`, 'utf-8').toString('base64')}`,
+      }),
+    }),
+  );
+});
+
+test('authenticate should omit basic auth when token is not configured', async () => {
+  const mauPublic = new Mau();
+  mauPublic.configuration = {
+    url: 'https://dock.mau.dev',
+    authurl: 'https://dock.mau.dev',
+  };
+
+  axios.mockImplementation(() => ({
+    data: {
+      token: 'public-token',
+    },
+  }));
+
+  await expect(
+    mauPublic.authenticate(
+      { name: 'team/image' },
+      {
+        headers: {},
+      },
+    ),
+  ).resolves.toEqual({ headers: { Authorization: 'Bearer public-token' } });
+
+  expect(axios).toHaveBeenCalledWith(
+    expect.objectContaining({
+      headers: {
+        Accept: 'application/json',
+      },
+    }),
+  );
+});
+
+test('normalizeImage should return the proper registry v2 endpoint', async () => {
+  expect(
+    mau.normalizeImage({
+      name: 'test/image',
+      registry: {
+        url: 'dock.mau.dev',
+      },
+    }),
+  ).toStrictEqual({
+    name: 'test/image',
+    registry: {
+      url: 'https://dock.mau.dev/v2',
+    },
+  });
+});
+
+test('getAuthPull should return undefined when no token is configured', async () => {
+  const mauPublic = new Mau();
+  mauPublic.configuration = {
+    url: 'https://dock.mau.dev',
+    authurl: 'https://dock.mau.dev',
+  };
+  await expect(mauPublic.getAuthPull()).resolves.toBeUndefined();
+});
+
+test('getAuthPull should return username/password when token is configured', async () => {
+  await expect(mau.getAuthPull()).resolves.toEqual({
+    username: '',
+    password: TEST_TOKEN,
+  });
+});
diff --git a/app/registries/providers/mau/Mau.ts b/app/registries/providers/mau/Mau.ts
@@ -0,0 +1,93 @@
+// @ts-nocheck
+import axios from 'axios';
+import Gitlab from '../gitlab/Gitlab.js';
+
+/**
+ * dock.mau.dev (GitLab-based) Container Registry integration.
+ */
+class Mau extends Gitlab {
+  /**
+   * Get the mau configuration schema.
+   * @returns {*}
+   */
+  getConfigurationSchema() {
+    return this.joi.alternatives([
+      this.joi.string().allow(''),
+      this.joi.object().keys({
+        url: this.joi.string().uri().default('https://dock.mau.dev'),
+        authurl: this.joi.string().uri().default('https://dock.mau.dev'),
+        token: this.joi.string(),
+      }),
+    ]);
+  }
+
+  /**
+   * Custom init behavior.
+   */
+  init() {
+    this.configuration = this.configuration || {};
+    if (typeof this.configuration === 'string') {
+      this.configuration = {};
+    }
+    this.configuration.url = this.configuration.url || 'https://dock.mau.dev';
+    this.configuration.authurl = this.configuration.authurl || 'https://dock.mau.dev';
+  }
+
+  /**
+   * Sanitize sensitive data.
+   * @returns {*}
+   */
+  maskConfiguration() {
+    return this.maskSensitiveFields(['token']);
+  }
+
+  /**
+   * Return true if image registry matches dock.mau.dev.
+   * @param image the image
+   * @returns {boolean}
+   */
+  match(image) {
+    return /^.*\.?dock\.mau\.dev$/i.test(image.registry.url);
+  }
+
+  /**
+   * Authenticate to dock.mau.dev.
+   * @param image
+   * @param requestOptions
+   * @returns {Promise<*>}
+   */
+  async authenticate(image, requestOptions) {
+    const request = {
+      method: 'GET',
+      url: `${this.configuration.authurl}/jwt/auth?service=container_registry&scope=repository:${image.name}:pull`,
+      headers: {
+        Accept: 'application/json',
+      },
+    };
+
+    if (this.configuration.token) {
+      request.headers.Authorization = `Basic ${Mau.base64Encode('', this.configuration.token)}`;
+    }
+
+    const response = await axios(request);
+    const requestOptionsWithAuth = requestOptions;
+    requestOptionsWithAuth.headers.Authorization = `Bearer ${response.data.token}`;
+    return requestOptionsWithAuth;
+  }
+
+  /**
+   * Return auth for pull when token is configured.
+   * @returns {{password: *, username: string}|undefined}
+   */
+  async getAuthPull() {
+    if (!this.configuration.token) {
+      return undefined;
+    }
+    return {
+      username: '',
+      password: this.configuration.token,
+    };
+  }
+}
+
+export default Mau;
diff --git a/app/registry/index.test.ts b/app/registry/index.test.ts
@@ -158,6 +158,7 @@ test('registerRegistries should register all registries', async () => {
     'hub.private',
     'ibmcr.public',
     'lscr.public',
+    'mau.public',
     'ocir.public',
     'quay.public',
     'trueforge.public',
@@ -178,6 +179,7 @@ test('registerRegistries should register all anonymous registries by default', a
     'hub.public',
     'ibmcr.public',
     'lscr.public',
+    'mau.public',
     'ocir.public',
     'quay.public',
     'trueforge.public',
@@ -563,6 +565,7 @@ test('init should register all components', async () => {
     'hub.private',
     'ibmcr.public',
     'lscr.public',
+    'mau.public',
     'ocir.public',
     'quay.public',
     'trueforge.public',
diff --git a/app/registry/index.ts b/app/registry/index.ts
@@ -345,6 +345,7 @@ async function registerRegistries() {
     hub: { public: '' },
     ibmcr: { public: '' },
     lscr: { public: '' },
+    mau: { public: '' },
     ocir: { public: '' },
     quay: { public: '' },
     trueforge: { public: '' },
