A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
atcr.io
docker
container
atproto
go
1# ATCR Hold Service Configuration
2# Copy this file to .env and fill in your values
3
4# ==============================================================================
5# Required Configuration
6# ==============================================================================
7
8# Hold service public URL (REQUIRED)
9# The hostname becomes the hold name/record key
10# Examples: https://hold1.atcr.io, http://127.0.0.1:8080
11HOLD_PUBLIC_URL=http://127.0.0.1:8080
12
13# ==============================================================================
14# Storage Configuration
15# ==============================================================================
16
17# Storage driver type (s3, filesystem)
18# Default: s3
19#
20# S3 Presigned URLs:
21# When using S3 storage, presigned URLs are automatically enabled for direct
22# client ↔ S3 transfers. This eliminates the hold service as a bandwidth
23# bottleneck, reducing hold bandwidth by ~99% for push/pull operations.
24# Falls back to proxy mode automatically for non-S3 drivers.
25STORAGE_DRIVER=filesystem
26
27# S3 Access Credentials
28AWS_ACCESS_KEY_ID=your_access_key
29AWS_SECRET_ACCESS_KEY=your_secret_key
30
31# S3 Region
32# Examples: us-east-1, us-west-2, eu-west-1
33# For UpCloud: us-chi1, us-nyc1, de-fra1, uk-lon1, sg-sin1
34# Default: us-east-1
35AWS_REGION=us-east-1
36
37# S3 Bucket Name
38S3_BUCKET=atcr-blobs
39
40# S3 Endpoint (for S3-compatible services like Storj, Minio, UpCloud)
41# Examples:
42# - Storj: https://gateway.storjshare.io
43# - UpCloud: https://[bucket-id].upcloudobjects.com
44# - Minio: http://minio:9000
45# Leave empty for AWS S3
46# S3_ENDPOINT=https://gateway.storjshare.io
47
48# For filesystem driver:
49# STORAGE_DRIVER=filesystem
50# STORAGE_ROOT_DIR=/var/lib/atcr/hold
51
52# ==============================================================================
53# Server Configuration
54# ==============================================================================
55
56# Server listen address (default: :8080)
57# HOLD_SERVER_ADDR=:8080
58
59# Allow public blob reads (pulls) without authentication
60# Writes (pushes) always require crew membership via PDS
61# Default: false
62HOLD_PUBLIC=false
63
64# ==============================================================================
65# Embedded PDS Configuration
66# ==============================================================================
67
68# Directory path for embedded PDS carstore (SQLite database)
69# Default: /var/lib/atcr-hold
70# If empty, embedded PDS is disabled
71#
72# Note: This should be a directory path, NOT a file path
73# Carstore creates db.sqlite3 inside this directory
74#
75# The embedded PDS makes the hold a proper ATProto user with:
76# - did:web identity (derived from HOLD_PUBLIC_URL hostname)
77# - DID document at /.well-known/did.json
78# - XRPC endpoints for crew management
79# - ATProto blob endpoints (wraps existing presigned URL logic)
80HOLD_DATABASE_DIR=/var/lib/atcr-hold
81
82# Path to signing key (auto-generated on first run if missing)
83# Default: {HOLD_DATABASE_DIR}/signing.key
84# HOLD_KEY_PATH=/var/lib/atcr-hold/signing.key
85
86# ==============================================================================
87# Bluesky Integration
88# ==============================================================================
89
90# Enable Bluesky posts when users push container images (default: false)
91# When enabled, the hold's embedded PDS will create posts announcing image pushes
92# Synced to captain record's enableBlueskyPosts field on startup
93# HOLD_BLUESKY_POSTS_ENABLED=false
94
95# ==============================================================================
96# Registration (REQUIRED)
97# ==============================================================================
98
99# Your ATProto DID (REQUIRED for registration)
100# Get your DID: https://bsky.social/xrpc/com.atproto.identity.resolveHandle?handle=yourhandle.bsky.social
101#
102# On first run with HOLD_OWNER set:
103# 1. Hold service will print an OAuth URL to the logs
104# 2. Visit the URL in your browser to authorize
105# 3. Hold service creates hold + crew records in your PDS
106# 4. Registration complete!
107#
108# On subsequent runs:
109# - Hold service checks if already registered
110# - Skips OAuth if records exist
111#
112HOLD_OWNER=did:plc:your-did-here
113
114# ==============================================================================
115# Scanner Configuration (SBOM & Vulnerability Scanning)
116# ==============================================================================
117
118# Enable automatic SBOM generation and vulnerability scanning on image push
119# Default: true
120HOLD_SBOM_ENABLED=true
121
122# Number of concurrent scanner worker threads
123# Default: 2
124HOLD_SBOM_WORKERS=2
125
126# Enable vulnerability scanning with Grype
127# If false, only SBOM generation (Syft) will run
128# Default: true
129HOLD_VULN_ENABLED=true
130
131# Path to Grype vulnerability database
132# Database is auto-downloaded and cached at this location
133# Default: /var/lib/atcr-hold/grype-db
134# HOLD_VULN_DB_PATH=/var/lib/atcr-hold/grype-db
135
136# How often to update vulnerability database
137# Examples: 24h, 12h, 48h
138# Default: 24h
139# HOLD_VULN_DB_UPDATE_INTERVAL=24h
140
141# ==============================================================================
142# Logging Configuration
143# ==============================================================================
144
145# Log level: debug, info, warn, error (default: info)
146ATCR_LOG_LEVEL=debug
147
148# Log formatter: text, json (default: text)
149# ATCR_LOG_FORMATTER=text