diff --git a/apps/registry/config.yml b/apps/registry/config.yml
index 7bd0787..fcaa640 100644
--- a/apps/registry/config.yml
+++ b/apps/registry/config.yml
@@ -14,7 +14,7 @@ storage:
     enabled: true
 http:
   addr: 0.0.0.0:5000
-  host: https://docker.noratrieb.dev
+  host: https://old-docker.noratrieb.dev
   draintimeout: 60s
   headers:
     X-Content-Type-Options: [nosniff]
diff --git a/newinfra/nix/apps/registry/default.nix b/newinfra/nix/apps/registry/default.nix
new file mode 100644
index 0000000..4de51ae
--- /dev/null
+++ b/newinfra/nix/apps/registry/default.nix
@@ -0,0 +1,48 @@
+{ config, lib, ... }: {
+  age.secrets = {
+    registry_htpasswd = {
+      file = ../../secrets/registry_htpasswd.age;
+      owner = config.users.users.docker-registry.name;
+    };
+    registry_s3_key_secret = {
+      file = ../../secrets/registry_s3_key_secret.age;
+      owner = config.users.users.docker-registry.name;
+    };
+  };
+
+  systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
+  services.dockerRegistry = {
+    enable = true;
+    storagePath = null;
+    port = 5000;
+    extraConfig = {
+      log = {
+        accesslog.disabled = false;
+        level = "info";
+        formatter = "text";
+        fields.service = "registry";
+      };
+      redis = lib.mkForce null;
+      storage = {
+        s3 = {
+          regionendpoint = "http://127.0.0.1:3900";
+          region = "garage";
+          bucket = "docker-registry";
+          # accesskey = ""; ENV REGISTRY_STORAGE_S3_ACCESSKEY
+          # secretkey = ""; ENV REGISTRY_STORAGE_S3_SECRETKEY
+          secure = false;
+        };
+        redirect.disable = true;
+      };
+      http = {
+        host = "https://docker.noratrieb.dev";
+        draintimeout = "60s";
+      };
+      auth.htpasswd = {
+        # TODO: ugh :(
+        realm = "nilstrieb-registry";
+        path = config.age.secrets.registry_htpasswd.path;
+      };
+    };
+  };
+}
diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index 32829d6..1348555 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -150,6 +150,7 @@
       ./apps/hugo-chat
       ./apps/uptime
       ./apps/cargo-bisect-rustc-service
+      ./apps/registry
     ];
 
     deployment.tags = [ "ingress" "eu" "apps" "wg" ];
diff --git a/newinfra/nix/modules/dns/noratrieb.dev.nix b/newinfra/nix/modules/dns/noratrieb.dev.nix
index 40b6609..93497f7 100644
--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/newinfra/nix/modules/dns/noratrieb.dev.nix
@@ -43,10 +43,11 @@ let
 
         # --- legacy crap
         vps2 = vps2; # TODO REMOVE
-        docker = vps2;
+        old-docker = vps2;
 
         # --- apps
         bisect-rustc = vps1;
+        docker = vps1;
         hugo-chat = vps1 // {
           subdomains.api = vps1;
         };
diff --git a/newinfra/nix/modules/garage/README.md b/newinfra/nix/modules/garage/README.md
index e1c57cb..cdc3add 100644
--- a/newinfra/nix/modules/garage/README.md
+++ b/newinfra/nix/modules/garage/README.md
@@ -16,6 +16,8 @@
 ## buckets
 
 - `caddy-store`: Store for Caddy webservers
+    - key `caddy`
+- `docker-registry`
 
 ## keys
 
diff --git a/newinfra/nix/modules/ingress/Caddyfile b/newinfra/nix/modules/ingress/Caddyfile
index af05a9a..9045a34 100644
--- a/newinfra/nix/modules/ingress/Caddyfile
+++ b/newinfra/nix/modules/ingress/Caddyfile
@@ -49,6 +49,10 @@ bisect-rustc.noratrieb.dev {
 	reverse_proxy * localhost:5005
 }
 
+docker.noratrieb.dev {
+	reverse_proxy * localhost:5000
+}
+
 ################################################################
 # deadname redirects
 nilstrieb.dev {
@@ -67,6 +71,10 @@ bisect-rustc.nilstrieb.dev {
 	redir https://bisect-rustc.dev/blog{uri} permanent
 }
 
+docker.nilstrieb.dev {
+	redir https://docker.noratrieb.dev{uri} permanent
+}
+
 hugo-chat.nilstrieb.dev {
 	redir https://hugo-chat.noratrieb.dev{uri} permanent
 }
diff --git a/newinfra/nix/secrets/caddy_s3_key_secret.age b/newinfra/nix/secrets/caddy_s3_key_secret.age
index fb2c2a7..b99b7b9 100644
Binary files a/newinfra/nix/secrets/caddy_s3_key_secret.age and b/newinfra/nix/secrets/caddy_s3_key_secret.age differ
diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age
index 954d1dd..18f4fc9 100644
Binary files a/newinfra/nix/secrets/docker_registry_password.age and b/newinfra/nix/secrets/docker_registry_password.age differ
diff --git a/newinfra/nix/secrets/garage_secrets.age b/newinfra/nix/secrets/garage_secrets.age
index db044a1..4ea886d 100644
Binary files a/newinfra/nix/secrets/garage_secrets.age and b/newinfra/nix/secrets/garage_secrets.age differ
diff --git a/newinfra/nix/secrets/hugochat_db_password.age b/newinfra/nix/secrets/hugochat_db_password.age
index 4a96015..63e13b0 100644
Binary files a/newinfra/nix/secrets/hugochat_db_password.age and b/newinfra/nix/secrets/hugochat_db_password.age differ
diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age
index 8c5e8e2..e3facf3 100644
--- a/newinfra/nix/secrets/minio_env_file.age
+++ b/newinfra/nix/secrets/minio_env_file.age
@@ -1,7 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg Jtt9cLPGha9Qs5gEuKSwU3E1bNMhrjlHtnj/I3dKqW0
-0iDfPorED8lq0Rc5LVDNWID7l2F+AnmeEr7Yik/OC44
--> ssh-ed25519 XzACZQ Q9WpNGn/k35J0/LzGAlcf1ktN2/VG3nZdpfMbJXAnWw
-bl2Pasbxmb6LNbWiZrEVBQ99gYYC5Md6kdvIt4VAf7k
---- +B0f8ilJGkB7Qj+BdzeKfW6HRl9yzMd+iT4sOAmJI5Y
-\ÒÖñÈ'ËZtbJ7úAL££²â›£&Á•‹ØC+LM¹nhÐ†Š]Rº·;	Ô†JHK»O¯7å B’»¤“¡ß\(ÓQmÎ’åËU>r³4"Šà¥èXh¹ó…ÐãIñd§cE6G_oN©
\ No newline at end of file
+-> ssh-ed25519 qM6TYg EI4ZJijnotHTHevfFPYRvpl7ccKd1GX4v4TnIeg9OEk
+12IpJojvydgvYEKeH5czeHqxMYiczVoVOkhDsXnLBI0
+-> ssh-ed25519 XzACZQ x9w42tznOiNImwa1SHDF8VgC2yMDUnmsuy2Abs8OAWE
+BurhfH8j8eupgIB6+r/VRCbTB+wCtyHZqxFLedFIdBM
+--- QIt5U0Kjpaw7cKhuUZoJMA3l+P0th172NK+LxWw/JZU
+\zSó©Àä¦3¦þÃ’‡e0è³¡O÷Ô”°×§í'}7«
+èuš‚‘ÑM€•'­á§jÌÍÝVá(×»€AÍÁ{Ï[§êÚ3¡QýàLH@Ö÷>2q¢ÖÃy7¯+žáÅÕ
+è&ôéÖ.§T
\ No newline at end of file
diff --git a/newinfra/nix/secrets/registry_htpasswd.age b/newinfra/nix/secrets/registry_htpasswd.age
new file mode 100644
index 0000000..8414c47
--- /dev/null
+++ b/newinfra/nix/secrets/registry_htpasswd.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg suD780CXmj5jE1zjQ8yFPBx/mJpc+qtrSnx21GNPREs
+woldNF3/BqEJFZebSL+h8Trd4ULoCXEPGITJ+M6miY0
+--- /TVDLF4l3t96nTkcA6kPTggtto1f7FbTtMNXG+7u4HE
+e¢MM†êåkÖw€¢¹=XŽçE=@,3k*|'b ²ˆhlß\û^Ò{6°Òo	´ás?XëíªÐ¼Ô”€Çãã=‰ ó˜®¾1êñõ@ÉÛwZT©ÙC€Â´,"*Ê
\ No newline at end of file
diff --git a/newinfra/nix/secrets/registry_s3_key_secret.age b/newinfra/nix/secrets/registry_s3_key_secret.age
new file mode 100644
index 0000000..64047eb
Binary files /dev/null and b/newinfra/nix/secrets/registry_s3_key_secret.age differ
diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix
index 3d82c2e..4cb10d2 100644
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@@ -12,6 +12,8 @@ in
   "minio_env_file.age".publicKeys = [ vps1 vps3 ];
   "garage_secrets.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
   "caddy_s3_key_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
+  "registry_htpasswd.age".publicKeys = [ vps1 ];
+  "registry_s3_key_secret.age".publicKeys = [ vps1 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
   "wg_private_vps4.age".publicKeys = [ vps4 ];
diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age
index 2137537..d4740ab 100644
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ b/newinfra/nix/secrets/wg_private_vps1.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg xCaglRQkcl1+kGIVjPEn+NlnrBUvcWLSH7MMPLXK9kU
-78t/Z81+NaXQMW30EQH8WMhed6Lm77+atPTkBQbDMd0
---- AsnraeejCWHj1iRI/1btRXI6tqdnBW4S+twfx35eNEI
-³6Â1ŒŽKqH\vÃ©lW¢IX{éåK;€#ÞS—â&ãg^.ÍÊKQþ8”a7V˜œ:e)9åïÐŒ!ëÞèO
\ No newline at end of file
+-> ssh-ed25519 qM6TYg O7IcxaeSOGfOmQJudTMomwnl/bsPhAUKCPeidwbThXs
+e4Llj1rpB0QtY08AOQYSr9450fdLd7Io8MpXzCAma5c
+--- DnobWf9zRcr2T9fV32wFhZDmHoXdrLGoEbiOMg+ixyE
+’ÓZŸeÆúNKÚh,Ÿðû $Æ!Ï¹¶ÿbÿz‹/Û:—q–Ÿ^¹u1®ŒÌÉõqEíÇÿF-‹ƒ«F=7‰¤C%Ð†Ú¥q®
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age
index 7a46f3d..532de45 100644
--- a/newinfra/nix/secrets/wg_private_vps3.age
+++ b/newinfra/nix/secrets/wg_private_vps3.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ PAqPA1RpuXwjKCsn838qwsuRmuh8ES7BPiyCIFdhMmA
-QIAC+dfBMSZwzHwcQpO1IyDPKwTvr/iG35PkrFOyzwE
---- zNejM9ypNWH1Bg1J1V4UCqMIyVP+gIV/mmgBaCfFCKk
-yÁ‘’2yèv0’W†Ú}qêÍYmh„®ÕÀûZá{B|t7,@‡6B_´V8•0ióéaŸz9ÇûÒ@‚µÄj†í)Æâ
\ No newline at end of file
+-> ssh-ed25519 XzACZQ 8C7hL4eGkNUafD4z3KDlduzt1gLrEMZbHGD1ax8D9hQ
+IR3sdzbh5ho0switjmknCu4VoPXrBl4uu8wGOjxqpaw
+--- UCQLDGKp7Q8pB2MVuT/0/lff559GE/pSzpLj5WXHrvs
+Y6ÙÞØ0Ïuh¿ñ¥ÿš<°bÁêŒ^¹Y¯¢¥‘dÈ[dâäà|êpó}"áÙ)´áF†3(Z.Ž¢¬GLoeêûÓ´\ÞCt74
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age
index fd64f80..10b0d3b 100644
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA mJYJJnaKusYBpSL5qAokXISlrXkBZ0QPKZVPkiyKSnk
-IAsX5+UPxhap7ehB9za8Q9aEfeA0Ypd4Tw7XiU4f2eM
---- VBlmFpr+g83UfZ4rftOkNzKL/ZxSxAi7/tBl4TMaln4
-mä¾’A†WÿÏý§å£c€NWò·Ý-ü—ÚØäF6È†y…T=~ˆ–·k‚ª¦g%€²Uš	;D­Ý²Ëi¾‰¯Ð&[jÂ+®_
-Ç
\ No newline at end of file
+-> ssh-ed25519 51bcvA CjxIs41xJfD5FLvhNePVx4Z+oxLNGs18rIqA1oePZUA
+vbbgC5XDSpheko+opZcGdGOLRTkpy9oOKUDqJB5mHrA
+--- zIA/cJR2IvTe9PrxvsqYUtx3CVDMadur9Zab5yklQHk
+9öÖÞ_n5Ù~¡â\ÊÅC'qŠ±]Ù+~jwº&âO4¸‚Ÿ‚NÁv‚ï€Uo$ÔÊ¤béÕØùˆEÍ…Gì¥kmkÞ\ú
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps5.age b/newinfra/nix/secrets/wg_private_vps5.age
index 156b44e..5529669 100644
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ b/newinfra/nix/secrets/wg_private_vps5.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 vT7ExA mzVnSgeDMMYUVe1J50PKFxwcpW9/XrweIyrOP8YtEF0
-N5vIpmomADBhQ0OXXw5uDcPeAeomaL/uyeAqCGewVMA
---- QBH8lw1hB2qVKXbd6AfQ9M5JlyPRCgzcHrVNjyGDfiI
-šÕ7­ÓYÕÓ Béï¿ÃŠþž²…1¨^™ô§VÕKx’Œ`z¿}9µÑ	ŒWaÈ§kW[’	À+"õó_‚ªo%råàlR˜
\ No newline at end of file
+-> ssh-ed25519 vT7ExA hiEMWjjGY/Elfd8oc9gB7p1bcV0G4u+NpvcChl06Kko
+TANojl91jyH5dIjj0e7FlyvWfblRWd1psLerI3AxKe4
+--- EZL4OcGAkc70DMOiFaiZab64IX+Cv952bGXgF/5XZNc
+{KŸ¶´›Nnþ0§oí½íšjM£½r§ÕTOqÈ3ÂðMa‰p­&;D	qû–ASãótr©‚YÏ@åùúƒm4ñ©r®Om
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age
index 009e9f6..08e20fd 100644
Binary files a/newinfra/nix/secrets/widetom_bot_token.age and b/newinfra/nix/secrets/widetom_bot_token.age differ
diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age
index 273d1e1..3180cab 100644
Binary files a/newinfra/nix/secrets/widetom_config_toml.age and b/newinfra/nix/secrets/widetom_config_toml.age differ
diff --git a/newinfra/secrets-git-crypt/registry_htpasswd b/newinfra/secrets-git-crypt/registry_htpasswd
new file mode 100644
index 0000000..26970ab
Binary files /dev/null and b/newinfra/secrets-git-crypt/registry_htpasswd differ
diff --git a/newinfra/secrets-git-crypt/registry_s3_key_secret b/newinfra/secrets-git-crypt/registry_s3_key_secret
new file mode 100644
index 0000000..70c9bcb
Binary files /dev/null and b/newinfra/secrets-git-crypt/registry_s3_key_secret differ
diff --git a/vps2/Caddyfile b/vps2/Caddyfile
index 2246e1e..a2e9f34 100644
--- a/vps2/Caddyfile
+++ b/vps2/Caddyfile
@@ -33,10 +33,7 @@ vps2.nilstrieb.dev {
 	file_server
 }
 
-docker.nilstrieb.dev {
-	reverse_proxy * localhost:5000
-}
-docker.noratrieb.dev {
+old-docker.noratrieb.dev {
 	reverse_proxy * localhost:5000
 }