diff --git a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
index 523b5c70dd..2dea072786 100644
--- a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
+++ b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
@@ -7,13 +7,8 @@ services:
     restart: always
     image: registry:2
     network_mode: host
-    environment:
-      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
-      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
-      REGISTRY_AUTH: htpasswd
-      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
-      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
     volumes:
       - /var/registry/data:/var/lib/registry
       - /var/registry/certs:/certs
       - /var/registry/auth:/auth
+      - /var/registry/etc:/etc/docker/registry
diff --git a/playbooks/roles/registry/tasks/main.yaml b/playbooks/roles/registry/tasks/main.yaml
index 2166755474..39c092f2a2 100644
--- a/playbooks/roles/registry/tasks/main.yaml
+++ b/playbooks/roles/registry/tasks/main.yaml
@@ -10,6 +10,7 @@
     - data
     - certs
     - auth
+    - etc
 - name: Install passlib
   package:
     name:
@@ -31,6 +32,10 @@
   copy:
     content: "{{ registry_tls_cert }}{{ registry_tls_chain | default('') }}"
     dest: /var/registry/certs/domain.crt
+- name: Write registry config
+  template:
+    src: config.yml.j2
+    dest: /var/registry/etc/config.yml
 - name: Install docker-compose
   package:
     name:
diff --git a/playbooks/roles/registry/templates/config.yml.j2 b/playbooks/roles/registry/templates/config.yml.j2
new file mode 100644
index 0000000000..49f74ec6ae
--- /dev/null
+++ b/playbooks/roles/registry/templates/config.yml.j2
@@ -0,0 +1,33 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+  swift:
+    username: {{ registry_swift_username }}
+    password: {{ registry_swift_password }}
+    authurl: {{ registry_swift_authurl }}
+    tenant: {{ registry_swift_tenant }}
+    region: {{ registry_swift_region }}
+    container: {{ registry_swift_container }}
+    secretkey: {{ registry_swift_secretkey }}
+  delete:
+    enabled: true
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+  tls:
+    certificate: /certs/domain.crt
+    key: /certs/domain.key
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
+auth:
+  htpasswd:
+    realm: Registry Realm
+    path: /auth/htpasswd
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 372f5c9be5..29013c14e6 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -66,6 +66,7 @@
         - group_vars/gitea.yaml
         - group_vars/gitea-lb.yaml
         - group_vars/letsencrypt.yaml
+        - group_vars/registry.yaml
         - host_vars/bridge.openstack.org.yaml
         - host_vars/letsencrypt01.opendev.org.yaml
         - host_vars/letsencrypt02.opendev.org.yaml
diff --git a/playbooks/zuul/templates/group_vars/registry.yaml.j2 b/playbooks/zuul/templates/group_vars/registry.yaml.j2
index bd38909e75..82cae3ccba 100644
--- a/playbooks/zuul/templates/group_vars/registry.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/registry.yaml.j2
@@ -1,3 +1,10 @@
+registry_swift_username: openstackregistry
+registry_swift_password: testpassword
+registry_swift_authurl: https://identity.example.com/v2.0/
+registry_swift_tenant: 123456
+registry_swift_region: DFW
+registry_swift_container: intermediate_registry
+registry_swift_secretkey: testsecretkey
 registry_password: testpassword
 registry_tls_cert: |
   -----BEGIN CERTIFICATE-----