fix: move writeLogsToFile doc comment to correct position

The buildRegistryAuths function was inserted between the writeLogsToFile
doc comment and the writeLogsToFile function body, causing Go to treat
the writeLogsToFile comment as part of buildRegistryAuths godoc.

Move the writeLogsToFile comment to sit directly above its function,
and keep only the buildRegistryAuths comment above buildRegistryAuths.

README.md

@@ -8,7 +8,8 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
 - Per-app SSH keypairs for read-only deploy keys
 - Per-app UUID-based webhook URLs for Gitea integration
 - Branch filtering - only deploy on configured branch changes
-- Environment variables, labels, volume mounts, and custom health checks per app
+- Environment variables, labels, and volume mounts per app
+- Private Docker registry authentication for base images
 - Docker builds via socket access
 - Notifications via ntfy and Slack-compatible webhooks
 - Simple server-rendered UI with Tailwind CSS

internal/database/migrations/007_add_healthcheck_command.sql

@@ -1,2 +0,0 @@
--- Add custom health check command per app
-ALTER TABLE apps ADD COLUMN healthcheck_command TEXT;

internal/database/migrations/007_add_registry_credentials.sql

@@ -0,0 +1,11 @@
+-- Add registry credentials for private Docker registry authentication during builds
+CREATE TABLE registry_credentials (
+    id INTEGER PRIMARY KEY,
+    app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    registry TEXT NOT NULL,
+    username TEXT NOT NULL,
+    password TEXT NOT NULL,
+    UNIQUE(app_id, registry)
+);
+
+CREATE INDEX idx_registry_credentials_app_id ON registry_credentials(app_id);

internal/docker/auth_test.go

@@ -0,0 +1,96 @@
+package docker //nolint:testpackage // tests unexported buildAuthConfigs
+
+import (
+	"testing"
+)
+
+func TestBuildAuthConfigsEmpty(t *testing.T) {
+	t.Parallel()
+
+	result := buildAuthConfigs(nil)
+	if len(result) != 0 {
+		t.Errorf("expected empty map, got %d entries", len(result))
+	}
+}
+
+func TestBuildAuthConfigsSingle(t *testing.T) {
+	t.Parallel()
+
+	auths := []RegistryAuth{
+		{
+			Registry: "registry.example.com",
+			Username: "user",
+			Password: "pass",
+		},
+	}
+
+	result := buildAuthConfigs(auths)
+
+	if len(result) != 1 {
+		t.Fatalf("expected 1 entry, got %d", len(result))
+	}
+
+	cfg, ok := result["registry.example.com"]
+	if !ok {
+		t.Fatal("expected registry.example.com key")
+	}
+
+	if cfg.Username != "user" {
+		t.Errorf("expected username 'user', got %q", cfg.Username)
+	}
+
+	if cfg.Password != "pass" {
+		t.Errorf("expected password 'pass', got %q", cfg.Password)
+	}
+
+	if cfg.ServerAddress != "registry.example.com" {
+		t.Errorf("expected server address 'registry.example.com', got %q", cfg.ServerAddress)
+	}
+}
+
+func TestBuildAuthConfigsMultiple(t *testing.T) {
+	t.Parallel()
+
+	auths := []RegistryAuth{
+		{Registry: "ghcr.io", Username: "ghuser", Password: "ghtoken"},
+		{Registry: "docker.io", Username: "dkuser", Password: "dktoken"},
+	}
+
+	result := buildAuthConfigs(auths)
+
+	if len(result) != 2 {
+		t.Fatalf("expected 2 entries, got %d", len(result))
+	}
+
+	ghcr := result["ghcr.io"]
+	if ghcr.Username != "ghuser" || ghcr.Password != "ghtoken" {
+		t.Errorf("unexpected ghcr.io config: %+v", ghcr)
+	}
+
+	dkr := result["docker.io"]
+	if dkr.Username != "dkuser" || dkr.Password != "dktoken" {
+		t.Errorf("unexpected docker.io config: %+v", dkr)
+	}
+}
+
+func TestRegistryAuthStruct(t *testing.T) {
+	t.Parallel()
+
+	auth := RegistryAuth{
+		Registry: "registry.example.com",
+		Username: "testuser",
+		Password: "testpass",
+	}
+
+	if auth.Registry != "registry.example.com" {
+		t.Errorf("expected registry 'registry.example.com', got %q", auth.Registry)
+	}
+
+	if auth.Username != "testuser" {
+		t.Errorf("expected username 'testuser', got %q", auth.Username)
+	}
+
+	if auth.Password != "testpass" {
+		t.Errorf("expected password 'testpass', got %q", auth.Password)
+	}
+}

internal/docker/client.go

@@ -13,7 +13,6 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
-	"time"
 
 	dockertypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -21,6 +20,7 @@ import (
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/go-connections/nat"
@@ -106,12 +106,20 @@ func (c *Client) IsConnected() bool {
 	return c.docker != nil
 }
 
+// RegistryAuth contains authentication credentials for a Docker registry.
+type RegistryAuth struct {
+	Registry string
+	Username string
+	Password string //nolint:gosec // credential field required for registry auth
+}
+
 // BuildImageOptions contains options for building an image.
 type BuildImageOptions struct {
 	ContextDir     string
 	DockerfilePath string
 	Tags           []string
-	LogWriter      io.Writer // Optional writer for build output
+	LogWriter      io.Writer      // Optional writer for build output
+	RegistryAuths  []RegistryAuth // Optional registry credentials for pulling private base images
 }
 
 // BuildImage builds a Docker image from a context directory.
@@ -139,14 +147,13 @@ func (c *Client) BuildImage(
 
 // CreateContainerOptions contains options for creating a container.
 type CreateContainerOptions struct {
-	Name               string
+	Name    string
-	Image              string
+	Image   string
-	Env                map[string]string
+	Env     map[string]string
-	Labels             map[string]string
+	Labels  map[string]string
-	Volumes            []VolumeMount
+	Volumes []VolumeMount
-	Ports              []PortMapping
+	Ports   []PortMapping
-	Network            string
+	Network string
-	HealthcheckCommand string // Custom health check shell command (empty = use image default)
 }
 
 // VolumeMount represents a volume mount.
@@ -163,6 +170,21 @@ type PortMapping struct {
 	Protocol      string // "tcp" or "udp"
 }
 
+// buildAuthConfigs converts RegistryAuth slices into Docker's AuthConfigs map.
+func buildAuthConfigs(auths []RegistryAuth) map[string]registry.AuthConfig {
+	configs := make(map[string]registry.AuthConfig, len(auths))
+
+	for _, auth := range auths {
+		configs[auth.Registry] = registry.AuthConfig{
+			Username:      auth.Username,
+			Password:      auth.Password,
+			ServerAddress: auth.Registry,
+		}
+	}
+
+	return configs
+}
+
 // buildPortConfig converts port mappings to Docker port configuration.
 func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 	exposedPorts := make(nat.PortSet)
@@ -187,29 +209,6 @@ func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 	return exposedPorts, portBindings
 }
 
-// healthcheckInterval is the time between health check attempts.
-const healthcheckInterval = 30 * time.Second
-
-// healthcheckTimeout is the maximum time a single health check can take.
-const healthcheckTimeout = 10 * time.Second
-
-// healthcheckStartPeriod is the grace period before health checks start counting failures.
-const healthcheckStartPeriod = 15 * time.Second
-
-// healthcheckRetries is the number of consecutive failures needed to mark unhealthy.
-const healthcheckRetries = 3
-
-// buildHealthcheck creates a Docker health check config from a shell command string.
-func buildHealthcheck(command string) *container.HealthConfig {
-	return &container.HealthConfig{
-		Test:        []string{"CMD-SHELL", command},
-		Interval:    healthcheckInterval,
-		Timeout:     healthcheckTimeout,
-		StartPeriod: healthcheckStartPeriod,
-		Retries:     healthcheckRetries,
-	}
-}
-
 // CreateContainer creates a new container.
 func (c *Client) CreateContainer(
 	ctx context.Context,
@@ -243,22 +242,14 @@ func (c *Client) CreateContainer(
 	// Convert ports to exposed ports and port bindings
 	exposedPorts, portBindings := buildPortConfig(opts.Ports)
 
-	// Build container config
-	containerConfig := &container.Config{
-		Image:        opts.Image,
-		Env:          envSlice,
-		Labels:       opts.Labels,
-		ExposedPorts: exposedPorts,
-	}
-
-	// Apply custom health check if configured
-	if opts.HealthcheckCommand != "" {
-		containerConfig.Healthcheck = buildHealthcheck(opts.HealthcheckCommand)
-	}
-
 	// Create container
 	resp, err := c.docker.ContainerCreate(ctx,
-		containerConfig,
+		&container.Config{
+			Image:        opts.Image,
+			Env:          envSlice,
+			Labels:       opts.Labels,
+			ExposedPorts: exposedPorts,
+		},
 		&container.HostConfig{
 			Mounts:       mounts,
 			PortBindings: portBindings,
@@ -546,12 +537,18 @@ func (c *Client) performBuild(
 	}()
 
 	// Build image
-	resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{
+	buildOpts := dockertypes.ImageBuildOptions{
 		Dockerfile: opts.DockerfilePath,
 		Tags:       opts.Tags,
 		Remove:     true,
 		NoCache:    false,
-	})
+	}
+
+	if len(opts.RegistryAuths) > 0 {
+		buildOpts.AuthConfigs = buildAuthConfigs(opts.RegistryAuths)
+	}
+
+	resp, err := c.docker.ImageBuild(ctx, tarArchive, buildOpts)
 	if err != nil {
 		return "", fmt.Errorf("failed to build image: %w", err)
 	}

internal/docker/validation_test.go

@@ -4,7 +4,6 @@ import (
 	"errors"
 	"log/slog"
 	"testing"
-	"time"
 )
 
 func TestValidBranchRegex(t *testing.T) {
@@ -147,52 +146,3 @@ func TestCloneRepoRejectsInjection(t *testing.T) { //nolint:funlen // table-driv
 		})
 	}
 }
-
-func TestBuildHealthcheck(t *testing.T) {
-	t.Parallel()
-
-	t.Run("creates CMD-SHELL health check", func(t *testing.T) {
-		t.Parallel()
-
-		cmd := "curl -f http://localhost:8080/healthz || exit 1"
-		hc := buildHealthcheck(cmd)
-
-		if len(hc.Test) != 2 {
-			t.Fatalf("expected 2 test elements, got %d", len(hc.Test))
-		}
-
-		if hc.Test[0] != "CMD-SHELL" {
-			t.Errorf("expected Test[0]=%q, got %q", "CMD-SHELL", hc.Test[0])
-		}
-
-		if hc.Test[1] != cmd {
-			t.Errorf("expected Test[1]=%q, got %q", cmd, hc.Test[1])
-		}
-	})
-
-	t.Run("sets expected intervals", func(t *testing.T) {
-		t.Parallel()
-
-		hc := buildHealthcheck("true")
-
-		expectedInterval := 30 * time.Second
-		if hc.Interval != expectedInterval {
-			t.Errorf("expected Interval=%v, got %v", expectedInterval, hc.Interval)
-		}
-
-		expectedTimeout := 10 * time.Second
-		if hc.Timeout != expectedTimeout {
-			t.Errorf("expected Timeout=%v, got %v", expectedTimeout, hc.Timeout)
-		}
-
-		expectedStartPeriod := 15 * time.Second
-		if hc.StartPeriod != expectedStartPeriod {
-			t.Errorf("expected StartPeriod=%v, got %v", expectedStartPeriod, hc.StartPeriod)
-		}
-
-		expectedRetries := 3
-		if hc.Retries != expectedRetries {
-			t.Errorf("expected Retries=%d, got %d", expectedRetries, hc.Retries)
-		}
-	})
-}

internal/handlers/app.go

@@ -57,17 +57,15 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		dockerNetwork := request.FormValue("docker_network")
 		ntfyTopic := request.FormValue("ntfy_topic")
 		slackWebhook := request.FormValue("slack_webhook")
-		healthcheckCommand := request.FormValue("healthcheck_command")
 
 		data := h.addGlobals(map[string]any{
-			"Name":               name,
+			"Name":           name,
-			"RepoURL":            repoURL,
+			"RepoURL":        repoURL,
-			"Branch":             branch,
+			"Branch":         branch,
-			"DockerfilePath":     dockerfilePath,
+			"DockerfilePath": dockerfilePath,
-			"DockerNetwork":      dockerNetwork,
+			"DockerNetwork":  dockerNetwork,
-			"NtfyTopic":          ntfyTopic,
+			"NtfyTopic":      ntfyTopic,
-			"SlackWebhook":       slackWebhook,
+			"SlackWebhook":   slackWebhook,
-			"HealthcheckCommand": healthcheckCommand,
 		}, request)
 
 		if name == "" || repoURL == "" {
@@ -104,14 +102,13 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		createdApp, createErr := h.appService.CreateApp(
 			request.Context(),
 			app.CreateAppInput{
-				Name:               name,
+				Name:           name,
-				RepoURL:            repoURL,
+				RepoURL:        repoURL,
-				Branch:             branch,
+				Branch:         branch,
-				DockerfilePath:     dockerfilePath,
+				DockerfilePath: dockerfilePath,
-				DockerNetwork:      dockerNetwork,
+				DockerNetwork:  dockerNetwork,
-				NtfyTopic:          ntfyTopic,
+				NtfyTopic:      ntfyTopic,
-				SlackWebhook:       slackWebhook,
+				SlackWebhook:   slackWebhook,
-				HealthcheckCommand: healthcheckCommand,
 			},
 		)
 		if createErr != nil {
@@ -151,6 +148,7 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
 		labels, _ := application.GetLabels(request.Context())
 		volumes, _ := application.GetVolumes(request.Context())
 		ports, _ := application.GetPorts(request.Context())
+		registryCreds, _ := application.GetRegistryCredentials(request.Context())
 		deployments, _ := application.GetDeployments(
 			request.Context(),
 			recentDeploymentsLimit,
@@ -166,16 +164,17 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
 		deployKey := formatDeployKey(application.SSHPublicKey, application.CreatedAt, application.Name)
 
 		data := h.addGlobals(map[string]any{
-			"App":              application,
+			"App":                 application,
-			"EnvVars":          envVars,
+			"EnvVars":             envVars,
-			"Labels":           labels,
+			"Labels":              labels,
-			"Volumes":          volumes,
+			"Volumes":             volumes,
-			"Ports":            ports,
+			"Ports":               ports,
-			"Deployments":      deployments,
+			"RegistryCredentials": registryCreds,
-			"LatestDeployment": latestDeployment,
+			"Deployments":         deployments,
-			"WebhookURL":       webhookURL,
+			"LatestDeployment":    latestDeployment,
-			"DeployKey":        deployKey,
+			"WebhookURL":          webhookURL,
-			"Success":          request.URL.Query().Get("success"),
+			"DeployKey":           deployKey,
+			"Success":             request.URL.Query().Get("success"),
 		}, request)
 
 		h.renderTemplate(writer, tmpl, "app_detail.html", data)
@@ -211,11 +210,6 @@ func (h *Handlers) HandleAppEdit() http.HandlerFunc {
 	}
 }
 
-// optionalNullString returns a valid NullString if the value is non-empty, or an empty NullString.
-func optionalNullString(value string) sql.NullString {
-	return sql.NullString{String: value, Valid: value != ""}
-}
-
 // HandleAppUpdate handles app updates.
 func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
 	tmpl := templates.GetParsed()
@@ -265,10 +259,24 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 		application.RepoURL = request.FormValue("repo_url")
 		application.Branch = request.FormValue("branch")
 		application.DockerfilePath = request.FormValue("dockerfile_path")
-		application.DockerNetwork = optionalNullString(request.FormValue("docker_network"))
+
-		application.NtfyTopic = optionalNullString(request.FormValue("ntfy_topic"))
+		if network := request.FormValue("docker_network"); network != "" {
-		application.SlackWebhook = optionalNullString(request.FormValue("slack_webhook"))
+			application.DockerNetwork = sql.NullString{String: network, Valid: true}
-		application.HealthcheckCommand = optionalNullString(request.FormValue("healthcheck_command"))
+		} else {
+			application.DockerNetwork = sql.NullString{}
+		}
+
+		if ntfy := request.FormValue("ntfy_topic"); ntfy != "" {
+			application.NtfyTopic = sql.NullString{String: ntfy, Valid: true}
+		} else {
+			application.NtfyTopic = sql.NullString{}
+		}
+
+		if slack := request.FormValue("slack_webhook"); slack != "" {
+			application.SlackWebhook = sql.NullString{String: slack, Valid: true}
+		} else {
+			application.SlackWebhook = sql.NullString{}
+		}
 
 		saveErr := application.Save(request.Context())
 		if saveErr != nil {
@@ -1376,3 +1384,126 @@ func formatDeployKey(pubKey string, createdAt time.Time, appName string) string
 
 	return parts[0] + " " + parts[1] + " " + comment
 }
+
+// HandleRegistryCredentialAdd handles adding a registry credential.
+func (h *Handlers) HandleRegistryCredentialAdd() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+
+		application, findErr := models.FindApp(request.Context(), h.db, appID)
+		if findErr != nil || application == nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		parseErr := request.ParseForm()
+		if parseErr != nil {
+			http.Error(writer, "Bad Request", http.StatusBadRequest)
+
+			return
+		}
+
+		registryURL := strings.TrimSpace(request.FormValue("registry"))
+		username := strings.TrimSpace(request.FormValue("username"))
+		password := request.FormValue("password")
+
+		if registryURL == "" || username == "" || password == "" {
+			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+
+			return
+		}
+
+		cred := models.NewRegistryCredential(h.db)
+		cred.AppID = appID
+		cred.Registry = registryURL
+		cred.Username = username
+		cred.Password = password
+
+		saveErr := cred.Save(request.Context())
+		if saveErr != nil {
+			h.log.Error("failed to save registry credential", "error", saveErr)
+		}
+
+		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+	}
+}
+
+// HandleRegistryCredentialEdit handles editing an existing registry credential.
+func (h *Handlers) HandleRegistryCredentialEdit() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+		credIDStr := chi.URLParam(request, "credID")
+
+		credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
+		if parseErr != nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
+		if findErr != nil || cred == nil || cred.AppID != appID {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		formErr := request.ParseForm()
+		if formErr != nil {
+			http.Error(writer, "Bad Request", http.StatusBadRequest)
+
+			return
+		}
+
+		registryURL := strings.TrimSpace(request.FormValue("registry"))
+		username := strings.TrimSpace(request.FormValue("username"))
+		password := request.FormValue("password")
+
+		if registryURL == "" || username == "" || password == "" {
+			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+
+			return
+		}
+
+		cred.Registry = registryURL
+		cred.Username = username
+		cred.Password = password
+
+		saveErr := cred.Save(request.Context())
+		if saveErr != nil {
+			h.log.Error("failed to update registry credential", "error", saveErr)
+		}
+
+		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+	}
+}
+
+// HandleRegistryCredentialDelete handles deleting a registry credential.
+func (h *Handlers) HandleRegistryCredentialDelete() http.HandlerFunc {
+	return func(writer http.ResponseWriter, request *http.Request) {
+		appID := chi.URLParam(request, "id")
+		credIDStr := chi.URLParam(request, "credID")
+
+		credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
+		if parseErr != nil {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
+		if findErr != nil || cred == nil || cred.AppID != appID {
+			http.NotFound(writer, request)
+
+			return
+		}
+
+		deleteErr := cred.Delete(request.Context())
+		if deleteErr != nil {
+			h.log.Error("failed to delete registry credential", "error", deleteErr)
+		}
+
+		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
+	}
+}

internal/models/app.go

@@ -14,7 +14,7 @@ import (
 const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			previous_image_id, healthcheck_command, created_at, updated_at`
+			previous_image_id, created_at, updated_at`
 
 // AppStatus represents the status of an app.
 type AppStatus string
@@ -32,24 +32,23 @@ const (
 type App struct {
 	db *database.Database
 
-	ID                 string
+	ID                string
-	Name               string
+	Name              string
-	RepoURL            string
+	RepoURL           string
-	Branch             string
+	Branch            string
-	DockerfilePath     string
+	DockerfilePath    string
-	WebhookSecret      string
+	WebhookSecret     string
-	WebhookSecretHash  string
+	WebhookSecretHash string
-	SSHPrivateKey      string
+	SSHPrivateKey     string
-	SSHPublicKey       string
+	SSHPublicKey      string
-	ImageID            sql.NullString
+	ImageID           sql.NullString
-	PreviousImageID    sql.NullString
+	PreviousImageID   sql.NullString
-	Status             AppStatus
+	Status            AppStatus
-	DockerNetwork      sql.NullString
+	DockerNetwork     sql.NullString
-	NtfyTopic          sql.NullString
+	NtfyTopic         sql.NullString
-	SlackWebhook       sql.NullString
+	SlackWebhook      sql.NullString
-	HealthcheckCommand sql.NullString
+	CreatedAt         time.Time
-	CreatedAt          time.Time
+	UpdatedAt         time.Time
-	UpdatedAt          time.Time
 }
 
 // NewApp creates a new App with a database reference.
@@ -120,6 +119,11 @@ func (a *App) GetWebhookEvents(
 	return FindWebhookEventsByAppID(ctx, a.db, a.ID, limit)
 }
 
+// GetRegistryCredentials returns all registry credentials for the app.
+func (a *App) GetRegistryCredentials(ctx context.Context) ([]*RegistryCredential, error) {
+	return FindRegistryCredentialsByAppID(ctx, a.db, a.ID)
+}
+
 func (a *App) exists(ctx context.Context) bool {
 	if a.ID == "" {
 		return false
@@ -143,14 +147,14 @@ func (a *App) insert(ctx context.Context) error {
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			previous_image_id, healthcheck_command
+			previous_image_id
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 
 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
-		a.PreviousImageID, a.HealthcheckCommand,
+		a.PreviousImageID,
 	)
 	if err != nil {
 		return err
@@ -165,7 +169,7 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
-			previous_image_id = ?, healthcheck_command = ?,
+			previous_image_id = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`
 
@@ -173,7 +177,7 @@ func (a *App) update(ctx context.Context) error {
 		a.Name, a.RepoURL, a.Branch, a.DockerfilePath,
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
-		a.PreviousImageID, a.HealthcheckCommand,
+		a.PreviousImageID,
 		a.ID,
 	)
 
@@ -188,7 +192,7 @@ func (a *App) scan(row *sql.Row) error {
 		&a.ImageID, &a.Status,
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
 		&a.WebhookSecretHash,
-		&a.PreviousImageID, &a.HealthcheckCommand,
+		&a.PreviousImageID,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -206,7 +210,7 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.ImageID, &app.Status,
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
 			&app.WebhookSecretHash,
-			&app.PreviousImageID, &app.HealthcheckCommand,
+			&app.PreviousImageID,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {

internal/models/models_test.go

@@ -23,6 +23,7 @@ const (
 	testBranch    = "main"
 	testValue     = "value"
 	testEventType = "push"
+	testUser      = "user"
 )
 
 func setupTestDB(t *testing.T) (*database.Database, func()) {
@@ -704,70 +705,125 @@ func TestAppGetWebhookEvents(t *testing.T) {
 	assert.Len(t, events, 1)
 }
 
-// App HealthcheckCommand Tests.
+// RegistryCredential Tests.
 
-func TestAppHealthcheckCommand(t *testing.T) {
+func TestRegistryCredentialCreateAndFind(t *testing.T) {
 	t.Parallel()
 
-	t.Run("saves and loads healthcheck command", func(t *testing.T) {
+	testDB, cleanup := setupTestDB(t)
-		t.Parallel()
+	defer cleanup()
 
-		testDB, cleanup := setupTestDB(t)
+	app := createTestApp(t, testDB)
-		defer cleanup()
 
-		app := createTestApp(t, testDB)
+	cred := models.NewRegistryCredential(testDB)
-		app.HealthcheckCommand = sql.NullString{
+	cred.AppID = app.ID
-			String: "curl -f http://localhost:8080/healthz || exit 1",
+	cred.Registry = "registry.example.com"
-			Valid:  true,
+	cred.Username = "myuser"
-		}
+	cred.Password = "mypassword"
 
-		err := app.Save(context.Background())
+	err := cred.Save(context.Background())
-		require.NoError(t, err)
+	require.NoError(t, err)
+	assert.NotZero(t, cred.ID)
 
-		found, err := models.FindApp(context.Background(), testDB, app.ID)
+	creds, err := models.FindRegistryCredentialsByAppID(
-		require.NoError(t, err)
+		context.Background(), testDB, app.ID,
-		require.NotNil(t, found)
+	)
-		assert.True(t, found.HealthcheckCommand.Valid)
+	require.NoError(t, err)
-		assert.Equal(t, "curl -f http://localhost:8080/healthz || exit 1", found.HealthcheckCommand.String)
+	require.Len(t, creds, 1)
-	})
+	assert.Equal(t, "registry.example.com", creds[0].Registry)
+	assert.Equal(t, "myuser", creds[0].Username)
+	assert.Equal(t, "mypassword", creds[0].Password)
+}
 
-	t.Run("null when not set", func(t *testing.T) {
+func TestRegistryCredentialUpdate(t *testing.T) {
-		t.Parallel()
+	t.Parallel()
 
-		testDB, cleanup := setupTestDB(t)
+	testDB, cleanup := setupTestDB(t)
-		defer cleanup()
+	defer cleanup()
 
-		app := createTestApp(t, testDB)
+	app := createTestApp(t, testDB)
 
-		found, err := models.FindApp(context.Background(), testDB, app.ID)
+	cred := models.NewRegistryCredential(testDB)
-		require.NoError(t, err)
+	cred.AppID = app.ID
-		require.NotNil(t, found)
+	cred.Registry = "old.registry.com"
-		assert.False(t, found.HealthcheckCommand.Valid)
+	cred.Username = "olduser"
-	})
+	cred.Password = "oldpass"
 
-	t.Run("can be cleared", func(t *testing.T) {
+	err := cred.Save(context.Background())
-		t.Parallel()
+	require.NoError(t, err)
 
-		testDB, cleanup := setupTestDB(t)
+	cred.Registry = "new.registry.com"
-		defer cleanup()
+	cred.Username = "newuser"
+	cred.Password = "newpass"
 
-		app := createTestApp(t, testDB)
+	err = cred.Save(context.Background())
-		app.HealthcheckCommand = sql.NullString{String: "true", Valid: true}
+	require.NoError(t, err)
 
-		err := app.Save(context.Background())
+	found, err := models.FindRegistryCredential(context.Background(), testDB, cred.ID)
-		require.NoError(t, err)
+	require.NoError(t, err)
+	require.NotNil(t, found)
+	assert.Equal(t, "new.registry.com", found.Registry)
+	assert.Equal(t, "newuser", found.Username)
+	assert.Equal(t, "newpass", found.Password)
+}
 
-		// Clear it
+func TestRegistryCredentialDelete(t *testing.T) {
-		app.HealthcheckCommand = sql.NullString{}
+	t.Parallel()
 
-		err = app.Save(context.Background())
+	testDB, cleanup := setupTestDB(t)
-		require.NoError(t, err)
+	defer cleanup()
 
-		found, err := models.FindApp(context.Background(), testDB, app.ID)
+	app := createTestApp(t, testDB)
-		require.NoError(t, err)
+
-		require.NotNil(t, found)
+	cred := models.NewRegistryCredential(testDB)
-		assert.False(t, found.HealthcheckCommand.Valid)
+	cred.AppID = app.ID
-	})
+	cred.Registry = "delete.registry.com"
+	cred.Username = testUser
+	cred.Password = "pass"
+
+	err := cred.Save(context.Background())
+	require.NoError(t, err)
+
+	err = cred.Delete(context.Background())
+	require.NoError(t, err)
+
+	creds, err := models.FindRegistryCredentialsByAppID(
+		context.Background(), testDB, app.ID,
+	)
+	require.NoError(t, err)
+	assert.Empty(t, creds)
+}
+
+func TestRegistryCredentialFindByIDNotFound(t *testing.T) {
+	t.Parallel()
+
+	testDB, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	found, err := models.FindRegistryCredential(context.Background(), testDB, 99999)
+	require.NoError(t, err)
+	assert.Nil(t, found)
+}
+
+func TestAppGetRegistryCredentials(t *testing.T) {
+	t.Parallel()
+
+	testDB, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	app := createTestApp(t, testDB)
+
+	cred := models.NewRegistryCredential(testDB)
+	cred.AppID = app.ID
+	cred.Registry = "ghcr.io"
+	cred.Username = testUser
+	cred.Password = "token"
+	_ = cred.Save(context.Background())
+
+	creds, err := app.GetRegistryCredentials(context.Background())
+	require.NoError(t, err)
+	assert.Len(t, creds, 1)
+	assert.Equal(t, "ghcr.io", creds[0].Registry)
 }
 
 // Cascade Delete Tests.
@@ -815,6 +871,13 @@ func TestCascadeDelete(t *testing.T) {
 		deploy.Status = models.DeploymentStatusSuccess
 		_ = deploy.Save(context.Background())
 
+		regCred := models.NewRegistryCredential(testDB)
+		regCred.AppID = app.ID
+		regCred.Registry = "registry.example.com"
+		regCred.Username = testUser
+		regCred.Password = "pass"
+		_ = regCred.Save(context.Background())
+
 		// Delete app.
 		err := app.Delete(context.Background())
 		require.NoError(t, err)
@@ -844,6 +907,11 @@ func TestCascadeDelete(t *testing.T) {
 			context.Background(), testDB, app.ID, 10,
 		)
 		assert.Empty(t, deployments)
+
+		regCreds, _ := models.FindRegistryCredentialsByAppID(
+			context.Background(), testDB, app.ID,
+		)
+		assert.Empty(t, regCreds)
 	})
 }
 

internal/models/registry_credential.go

@@ -0,0 +1,130 @@
+package models
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+
+	"sneak.berlin/go/upaas/internal/database"
+)
+
+// RegistryCredential represents authentication credentials for a private Docker registry.
+type RegistryCredential struct {
+	db *database.Database
+
+	ID       int64
+	AppID    string
+	Registry string
+	Username string
+	Password string //nolint:gosec // credential field required for registry auth
+}
+
+// NewRegistryCredential creates a new RegistryCredential with a database reference.
+func NewRegistryCredential(db *database.Database) *RegistryCredential {
+	return &RegistryCredential{db: db}
+}
+
+// Save inserts or updates the registry credential in the database.
+func (r *RegistryCredential) Save(ctx context.Context) error {
+	if r.ID == 0 {
+		return r.insert(ctx)
+	}
+
+	return r.update(ctx)
+}
+
+// Delete removes the registry credential from the database.
+func (r *RegistryCredential) Delete(ctx context.Context) error {
+	_, err := r.db.Exec(ctx, "DELETE FROM registry_credentials WHERE id = ?", r.ID)
+
+	return err
+}
+
+func (r *RegistryCredential) insert(ctx context.Context) error {
+	query := "INSERT INTO registry_credentials (app_id, registry, username, password) VALUES (?, ?, ?, ?)"
+
+	result, err := r.db.Exec(ctx, query, r.AppID, r.Registry, r.Username, r.Password)
+	if err != nil {
+		return err
+	}
+
+	id, err := result.LastInsertId()
+	if err != nil {
+		return err
+	}
+
+	r.ID = id
+
+	return nil
+}
+
+func (r *RegistryCredential) update(ctx context.Context) error {
+	query := "UPDATE registry_credentials SET registry = ?, username = ?, password = ? WHERE id = ?"
+
+	_, err := r.db.Exec(ctx, query, r.Registry, r.Username, r.Password, r.ID)
+
+	return err
+}
+
+// FindRegistryCredential finds a registry credential by ID.
+//
+//nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
+func FindRegistryCredential(
+	ctx context.Context,
+	db *database.Database,
+	id int64,
+) (*RegistryCredential, error) {
+	cred := NewRegistryCredential(db)
+
+	row := db.QueryRow(ctx,
+		"SELECT id, app_id, registry, username, password FROM registry_credentials WHERE id = ?",
+		id,
+	)
+
+	err := row.Scan(&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, nil
+		}
+
+		return nil, fmt.Errorf("scanning registry credential: %w", err)
+	}
+
+	return cred, nil
+}
+
+// FindRegistryCredentialsByAppID finds all registry credentials for an app.
+func FindRegistryCredentialsByAppID(
+	ctx context.Context,
+	db *database.Database,
+	appID string,
+) ([]*RegistryCredential, error) {
+	query := `
+		SELECT id, app_id, registry, username, password FROM registry_credentials
+		WHERE app_id = ? ORDER BY registry`
+
+	rows, err := db.Query(ctx, query, appID)
+	if err != nil {
+		return nil, fmt.Errorf("querying registry credentials by app: %w", err)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var creds []*RegistryCredential
+
+	for rows.Next() {
+		cred := NewRegistryCredential(db)
+
+		scanErr := rows.Scan(
+			&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password,
+		)
+		if scanErr != nil {
+			return nil, scanErr
+		}
+
+		creds = append(creds, cred)
+	}
+
+	return creds, rows.Err()
+}

internal/server/routes.go

@@ -98,6 +98,11 @@ func (s *Server) SetupRoutes() {
 			// Ports
 			r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
 			r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
+
+			// Registry Credentials
+			r.Post("/apps/{id}/registry-credentials", s.handlers.HandleRegistryCredentialAdd())
+			r.Post("/apps/{id}/registry-credentials/{credID}/edit", s.handlers.HandleRegistryCredentialEdit())
+			r.Post("/apps/{id}/registry-credentials/{credID}/delete", s.handlers.HandleRegistryCredentialDelete())
 		})
 	})
 

internal/service/app/app.go

@@ -46,14 +46,13 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
 
 // CreateAppInput contains the input for creating an app.
 type CreateAppInput struct {
-	Name               string
+	Name           string
-	RepoURL            string
+	RepoURL        string
-	Branch             string
+	Branch         string
-	DockerfilePath     string
+	DockerfilePath string
-	DockerNetwork      string
+	DockerNetwork  string
-	NtfyTopic          string
+	NtfyTopic      string
-	SlackWebhook       string
+	SlackWebhook   string
-	HealthcheckCommand string
 }
 
 // CreateApp creates a new application with generated SSH keys and webhook secret.
@@ -101,10 +100,6 @@ func (svc *Service) CreateApp(
 		app.SlackWebhook = sql.NullString{String: input.SlackWebhook, Valid: true}
 	}
 
-	if input.HealthcheckCommand != "" {
-		app.HealthcheckCommand = sql.NullString{String: input.HealthcheckCommand, Valid: true}
-	}
-
 	saveErr := app.Save(ctx)
 	if saveErr != nil {
 		return nil, fmt.Errorf("failed to save app: %w", saveErr)
@@ -117,14 +112,13 @@ func (svc *Service) CreateApp(
 
 // UpdateAppInput contains the input for updating an app.
 type UpdateAppInput struct {
-	Name               string
+	Name           string
-	RepoURL            string
+	RepoURL        string
-	Branch             string
+	Branch         string
-	DockerfilePath     string
+	DockerfilePath string
-	DockerNetwork      string
+	DockerNetwork  string
-	NtfyTopic          string
+	NtfyTopic      string
-	SlackWebhook       string
+	SlackWebhook   string
-	HealthcheckCommand string
 }
 
 // UpdateApp updates an existing application.
@@ -150,10 +144,6 @@ func (svc *Service) UpdateApp(
 		String: input.SlackWebhook,
 		Valid:  input.SlackWebhook != "",
 	}
-	app.HealthcheckCommand = sql.NullString{
-		String: input.HealthcheckCommand,
-		Valid:  input.HealthcheckCommand != "",
-	}
 
 	saveErr := app.Save(ctx)
 	if saveErr != nil {

internal/service/deploy/deploy.go

@@ -830,6 +830,13 @@ func (svc *Service) buildImage(
 	logWriter := newDeploymentLogWriter(ctx, deployment)
 	defer logWriter.Close()
 
+	// Fetch registry credentials for private base images
+	registryAuths, err := svc.buildRegistryAuths(ctx, app)
+	if err != nil {
+		svc.log.Warn("failed to fetch registry credentials", "error", err, "app", app.Name)
+		// Continue without auth — public images will still work
+	}
+
 	// BuildImage creates a tar archive from the local filesystem,
 	// so it needs the container path where files exist, not the host path.
 	imageID, err := svc.docker.BuildImage(ctx, docker.BuildImageOptions{
@@ -837,6 +844,7 @@ func (svc *Service) buildImage(
 		DockerfilePath: app.DockerfilePath,
 		Tags:           []string{imageTag},
 		LogWriter:      logWriter,
+		RegistryAuths:  registryAuths,
 	})
 	if err != nil {
 		svc.notify.NotifyBuildFailed(ctx, app, deployment, err)
@@ -1094,20 +1102,14 @@ func (svc *Service) buildContainerOptions(
 		network = app.DockerNetwork.String
 	}
 
-	healthcheckCmd := ""
-	if app.HealthcheckCommand.Valid {
-		healthcheckCmd = app.HealthcheckCommand.String
-	}
-
 	return docker.CreateContainerOptions{
-		Name:               "upaas-" + app.Name,
+		Name:    "upaas-" + app.Name,
-		Image:              imageID.String(),
+		Image:   imageID.String(),
-		Env:                envMap,
+		Env:     envMap,
-		Labels:             buildLabelMap(app, labels),
+		Labels:  buildLabelMap(app, labels),
-		Volumes:            buildVolumeMounts(volumes),
+		Volumes: buildVolumeMounts(volumes),
-		Ports:              buildPortMappings(ports),
+		Ports:   buildPortMappings(ports),
-		Network:            network,
+		Network: network,
-		HealthcheckCommand: healthcheckCmd,
 	}, nil
 }
 
@@ -1233,6 +1235,34 @@ func (svc *Service) failDeployment(
 	_ = app.Save(ctx)
 }
 
+// buildRegistryAuths fetches registry credentials for an app and converts them
+// to Docker RegistryAuth objects for use during image builds.
+func (svc *Service) buildRegistryAuths(
+	ctx context.Context,
+	app *models.App,
+) ([]docker.RegistryAuth, error) {
+	creds, err := app.GetRegistryCredentials(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get registry credentials: %w", err)
+	}
+
+	if len(creds) == 0 {
+		return nil, nil
+	}
+
+	auths := make([]docker.RegistryAuth, 0, len(creds))
+
+	for _, cred := range creds {
+		auths = append(auths, docker.RegistryAuth{
+			Registry: cred.Registry,
+			Username: cred.Username,
+			Password: cred.Password,
+		})
+	}
+
+	return auths, nil
+}
+
 // writeLogsToFile writes the deployment logs to a file on disk.
 // Structure: DataDir/logs/<hostname>/<appname>/<appname>_<sha>_<timestamp>.log.txt
 func (svc *Service) writeLogsToFile(app *models.App, deployment *models.Deployment) {

internal/service/deploy/deploy_container_test.go

@@ -2,7 +2,6 @@ package deploy_test
 
 import (
 	"context"
-	"database/sql"
 	"log/slog"
 	"os"
 	"testing"
@@ -44,64 +43,3 @@ func TestBuildContainerOptionsUsesImageID(t *testing.T) {
 		t.Errorf("expected Name=%q, got %q", "upaas-myapp", opts.Name)
 	}
 }
-
-func TestBuildContainerOptionsHealthcheckSet(t *testing.T) {
-	t.Parallel()
-
-	db := database.NewTestDatabase(t)
-
-	app := models.NewApp(db)
-	app.Name = "hc-app"
-	app.HealthcheckCommand = sql.NullString{
-		String: "curl -f http://localhost:8080/healthz || exit 1",
-		Valid:  true,
-	}
-
-	err := app.Save(context.Background())
-	if err != nil {
-		t.Fatalf("failed to save app: %v", err)
-	}
-
-	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	svc := deploy.NewTestService(log)
-
-	opts, err := svc.BuildContainerOptionsExported(
-		context.Background(), app, "sha256:test",
-	)
-	if err != nil {
-		t.Fatalf("buildContainerOptions returned error: %v", err)
-	}
-
-	expected := "curl -f http://localhost:8080/healthz || exit 1"
-	if opts.HealthcheckCommand != expected {
-		t.Errorf("expected HealthcheckCommand=%q, got %q", expected, opts.HealthcheckCommand)
-	}
-}
-
-func TestBuildContainerOptionsHealthcheckEmpty(t *testing.T) {
-	t.Parallel()
-
-	db := database.NewTestDatabase(t)
-
-	app := models.NewApp(db)
-	app.Name = "no-hc-app"
-
-	err := app.Save(context.Background())
-	if err != nil {
-		t.Fatalf("failed to save app: %v", err)
-	}
-
-	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	svc := deploy.NewTestService(log)
-
-	opts, err := svc.BuildContainerOptionsExported(
-		context.Background(), app, "sha256:test",
-	)
-	if err != nil {
-		t.Fatalf("buildContainerOptions returned error: %v", err)
-	}
-
-	if opts.HealthcheckCommand != "" {
-		t.Errorf("expected empty HealthcheckCommand, got %q", opts.HealthcheckCommand)
-	}
-}

templates/app_detail.html

@@ -154,6 +154,69 @@
         <div class="hidden">{{ .CSRFField }}</div>
     </div>
 
+    <!-- Registry Credentials -->
+    <div class="card p-6 mb-6">
+        <h2 class="section-title mb-4">Registry Credentials</h2>
+        <p class="text-sm text-gray-500 mb-3">Authenticate to private Docker registries when pulling base images during builds.</p>
+        {{if .RegistryCredentials}}
+        <div class="overflow-x-auto mb-4">
+            <table class="table">
+                <thead class="table-header">
+                    <tr>
+                        <th>Registry</th>
+                        <th>Username</th>
+                        <th>Password</th>
+                        <th class="text-right">Actions</th>
+                    </tr>
+                </thead>
+                <tbody class="table-body">
+                    {{range .RegistryCredentials}}
+                    <tr x-data="{ editing: false }">
+                        <template x-if="!editing">
+                            <td class="font-mono">{{.Registry}}</td>
+                        </template>
+                        <template x-if="!editing">
+                            <td class="font-mono">{{.Username}}</td>
+                        </template>
+                        <template x-if="!editing">
+                            <td class="font-mono text-gray-400">••••••••</td>
+                        </template>
+                        <template x-if="!editing">
+                            <td class="text-right">
+                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
+                                <form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this registry credential?')" @submit="confirm($event)">
+                                    {{ $.CSRFField }}
+                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
+                                </form>
+                            </td>
+                        </template>
+                        <template x-if="editing">
+                            <td colspan="4">
+                                <form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/edit" class="flex gap-2 items-center">
+                                    {{ $.CSRFField }}
+                                    <input type="text" name="registry" value="{{.Registry}}" required class="input flex-1 font-mono text-sm" placeholder="registry.example.com">
+                                    <input type="text" name="username" value="{{.Username}}" required class="input flex-1 font-mono text-sm" placeholder="username">
+                                    <input type="password" name="password" required class="input flex-1 font-mono text-sm" placeholder="password">
+                                    <button type="submit" class="btn-primary text-sm">Save</button>
+                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
+                                </form>
+                            </td>
+                        </template>
+                    </tr>
+                    {{end}}
+                </tbody>
+            </table>
+        </div>
+        {{end}}
+        <form method="POST" action="/apps/{{.App.ID}}/registry-credentials" class="flex flex-col sm:flex-row gap-2">
+            {{ .CSRFField }}
+            <input type="text" name="registry" placeholder="registry.example.com" required class="input flex-1 font-mono text-sm">
+            <input type="text" name="username" placeholder="username" required class="input flex-1 font-mono text-sm">
+            <input type="password" name="password" placeholder="password" required class="input flex-1 font-mono text-sm">
+            <button type="submit" class="btn-primary">Add</button>
+        </form>
+    </div>
+
     <!-- Labels -->
     <div class="card p-6 mb-6">
         <h2 class="section-title mb-4">Docker Labels</h2>

templates/app_edit.html

@@ -114,19 +114,6 @@
                 >
             </div>
 
-            <div class="form-group">
-                <label for="healthcheck_command" class="label">Health Check Command</label>
-                <input
-                    type="text"
-                    id="healthcheck_command"
-                    name="healthcheck_command"
-                    value="{{if .App.HealthcheckCommand.Valid}}{{.App.HealthcheckCommand.String}}{{end}}"
-                    class="input font-mono"
-                    placeholder="curl -f http://localhost:8080/healthz || exit 1"
-                >
-                <p class="text-sm text-gray-500 mt-1">Custom shell command to check container health. Leave empty to use the image's default health check.</p>
-            </div>
-
             <div class="flex justify-end gap-3 pt-4">
                 <a href="/apps/{{.App.ID}}" class="btn-secondary">Cancel</a>
                 <button type="submit" class="btn-primary">Save Changes</button>

templates/app_new.html

@@ -117,19 +117,6 @@
                 >
             </div>
 
-            <div class="form-group">
-                <label for="healthcheck_command" class="label">Health Check Command</label>
-                <input
-                    type="text"
-                    id="healthcheck_command"
-                    name="healthcheck_command"
-                    value="{{.HealthcheckCommand}}"
-                    class="input font-mono"
-                    placeholder="curl -f http://localhost:8080/healthz || exit 1"
-                >
-                <p class="text-sm text-gray-500 mt-1">Custom shell command to check container health. Leave empty to use the image's default health check.</p>
-            </div>
-
             <div class="flex justify-end gap-3 pt-4">
                 <a href="/" class="btn-secondary">Cancel</a>
                 <button type="submit" class="btn-primary">Create App</button>