diff --git a/services/portainer/stack.yml b/services/portainer/stack.yml
index 9d4f30b..3ccdc49 100644
--- a/services/portainer/stack.yml
+++ b/services/portainer/stack.yml
@@ -20,7 +20,7 @@ services:
       - portainer_data:/data
     networks:
       - agent_network
-      - {{ ingress_network }}
+      - "{{ ingress_network }}"
     deploy:
       mode: replicated
       replicas: 1
diff --git a/services/registry/config/config.yml b/services/registry/config/config.yml
new file mode 100644
index 0000000..ef7bb05
--- /dev/null
+++ b/services/registry/config/config.yml
@@ -0,0 +1,21 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+  {{ registry_storage|to_nice_yaml(indent=2, width=140)|indent(2) }}
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+auth:
+  htpasswd:
+    realm: basic-realm
+    path: /etc/docker/registry/htpasswd
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
diff --git a/services/registry/stack.yml b/services/registry/stack.yml
new file mode 100644
index 0000000..5dbea01
--- /dev/null
+++ b/services/registry/stack.yml
@@ -0,0 +1,30 @@
+version: "{{ compose_version }}"
+
+services:
+  registry:
+    image: registry:2
+    secrets:
+      - source: htpasswd_{{ registry_htpasswd.stat.checksum }}
+        target: /etc/docker/registry/htpasswd
+    configs:
+      - source: registry_{{ registry_config.checksum }}
+        target: /etc/docker/registry/config.yml
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.{{ service }}.rule=Host(`{{ service }}.{{ main_domain }}`)
+        - traefik.http.routers.{{ service }}.tls=true
+        - traefik.http.routers.{{ service }}.tls.certresolver=lets-encrypt
+        - traefik.http.services.{{ service }}.loadbalancer.server.port=5000
+    networks: ['{{ ingress_network }}']
+
+configs:
+  registry_{{ registry_config.checksum }}:
+    file: ./config/config.yml
+
+secrets:
+  htpasswd_{{ registry_htpasswd.stat.checksum }}:
+    file: ./config/htpasswd
diff --git a/services/registry/tasks/config.yml b/services/registry/tasks/config.yml
new file mode 100644
index 0000000..752859f
--- /dev/null
+++ b/services/registry/tasks/config.yml
@@ -0,0 +1,29 @@
+---
+- name: 'Copy config for "{{ service }}"'
+  template:
+    src: "{{ service_path }}/config/config.yml"
+    dest: "{{ remote_service_path }}/config/config.yml"
+  register: registry_config
+  tags:
+    - config
+
+- name: 'Generate passwords file for "{{ service }}"'
+  community.general.htpasswd:
+    path: "{{ remote_service_path }}/config/htpasswd"
+    name: "{{ registry_user.name }}"
+    crypt_scheme: bcrypt
+    password: "{{ registry_user.password }}"
+  loop: "{{ registry_users }}"
+  loop_control:
+    loop_var: registry_user
+    label: "{{ registry_user.name }}"
+  tags:
+    - config
+
+- name: 'Compute config hash for passwords file of "{{ service }}"'
+  ansible.builtin.stat:
+    path: "{{ remote_service_path }}/config/htpasswd"
+    get_mime: no
+    get_attributes: no
+    get_checksum: yes
+  register: registry_htpasswd
diff --git a/tasks/deploy.yml b/tasks/deploy.yml
index c14a967..a2a1080 100644
--- a/tasks/deploy.yml
+++ b/tasks/deploy.yml
@@ -13,6 +13,7 @@
   with_dict: "{{ service_config[service]|default({}) }}"
   loop_control:
     loop_var: variable
+    label: "{{ variable.key }}"
   tags:
     - always
 
diff --git a/vars/environment.yml b/vars/environment.yml
index a186e83..ad2207b 100644
--- a/vars/environment.yml
+++ b/vars/environment.yml
@@ -4,6 +4,8 @@ pip_install_packages:
   - docker
   - jsondiff
   - pyyaml
+  - passlib
+  - bcrypt
 ansible_python_interpreter: /usr/bin/python3  
 pip_package: python3-pip
 pip_executable: pip3
diff --git a/vars/services.yml b/vars/services.yml
index f90e91a..c25b236 100644
--- a/vars/services.yml
+++ b/vars/services.yml
@@ -38,5 +38,36 @@ service_config:
   cojedzie:
     cojedzie_gtm: GTM-TQNX386
 
+  registry:
+    registry_users:
+      - name: kadet
+        password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62613965333632643231306232323064306439313330353830663132393137633632613839656463
+          6335356336383632313765393634356563393066316261660a643762366532623735626430636634
+          35333465663730383033313762353539323663613038366531626163336430663062313466626137
+          6330386139356263390a663366633232346637346233653261373330343864613262313465336432
+          31366633323433653632366633376533343764343565653737633837383330323630313433323836
+          6530363533656439663631636532363864373666343163376632
+    registry_storage:
+      s3:
+        accesskey: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62343638373430393732616566373062633161316565646161613739363364346266663461386134
+          6662356631333130323835386365393864633332643064360a313738373234323336376434663234
+          66666137653065383762303365643663303365376662663931316430346331373538323963353263
+          3961663835393334370a613137316433396637316437616662356364626535626166333930356139
+          36323930633662363664663064346239386230616537353332356338653463356365
+        secretkey: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62386333363935343736626233333035373534316636303063313039633764653162643761393431
+          6137393061623538346562623731373937643361353839620a356662373131623263636663626334
+          35353435613763346139613931316537626434363462646139366539636139336161623463343433
+          6563656236663563650a313965336364323134336531373135666162663232623261313362663363
+          36363165623231616331613165626563383038613534303465646530303132623930
+        region: eu-central-003
+        regionendpoint: https://s3.eu-central-003.backblazeb2.com
+        bucket: kadet-docker
+
 www_data_users:
   - vagrant