Set up Watchtower GHCR auth on production host

[mriechers]

Context

PR #52 adds a production Docker Compose file (docker-compose.prod.yml) with Watchtower for auto-deploying new images from GHCR. Before the production stack can pull images, the host needs to authenticate with GHCR.

Steps

1. Create a GitHub Personal Access Token (PAT)

Go to: GitHub → Settings → Developer Settings → Personal Access Tokens → Tokens (classic)

• Scopes: read:packages only
• Name: cardigan-watchtower
• Fine-grained tokens do not support the packages scope — must use a classic token

2. Docker login on the production host

echo "<PAT_TOKEN>" | docker login ghcr.io -u mriechers --password-stdin

This creates ~/.docker/config.json, which Watchtower reads (mounted as a volume in docker-compose.prod.yml).

Note: If Docker runs as a non-root user, set DOCKER_CONFIG=/home/<user>/.docker in your .env file so Watchtower finds the credentials.

3. Start the production stack

docker compose -f docker-compose.prod.yml up -d

Or with optional services:

docker compose -f docker-compose.prod.yml --profile tunnel --profile mcp up -d

4. Verify Watchtower is working

docker logs -f <watchtower-container-name>

Look for successful GHCR authentication and poll messages.

Applies to

• Current: local Mac
• Next: VM on local network
• Eventually: offsite VPS

Same steps apply on each host — copy .env + docker-compose.prod.yml, run docker login, docker compose up -d.