# Lessons on the registry

- **Self-hosting closes the supply chain.** Everything the cluster runs was built and stored by you.
- **It's an API + a blob store + auth + TLS.** Each piece is simple; the value is in assembling them safely.
- **Push to the TLS name, not a plain-HTTP address.** Saves per-client "insecure registry" configuration — another win from edge TLS.
- **Garbage-collect inside a read-only window, and always restore writes.** Cleanup against live data demands a safety net; a guaranteed-undo `trap` is that net.
- **Watch your storage.** Without periodic GC, deleted tags quietly keep consuming disk forever.