Nginx sends the response as an application/octet-stream so browsers try
to download it.

Address the issue after shore.co.il was moved to ns4.

Reply with the client's public facing (internet) IP.

In line with the master branch.

Should be faster. Just static files anyway.

2 services, the registry under /v2/ and a browsable frontend under /.
Allow uploading only from a local IP address (from the host itself).
I think that this way I can avoid having authentication and instead just
build and upload on the host.

This reverts commit d4d48591 but not
completly, just the parts needed for the services moved to ns4.

Snippet to redirect to https if Upgrade-Insecure-Requests is set in the
request.

How can I miss the opportunity to interfere with Google in any way?

Login every 4 hours isn't reasonable. A week seems better to me.

Mainly ChaCha20. Also disable AESCCM (as per
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
it's slow and uncommon).

Vouch uses the Host header for calculating the JWT but we can't override
that (proxying won't work with an incorrect header). So instead it to
each deployment so we don't have multiple proxies and can override the
Host header.

Using vouch.shore.co.il.

Use the CA certificate bundle and set the verification depth (for
intermediate certificates). Right now for Vouch.

Needed for the default (fallback) acme challenge access (with the
renew-certs playbooks from the homelab repo).

To have a common .gitlab-ci.yml.