Nexus Docker Registry as external Gitlab registry

Question

I'm using Gitlab CE as the all-in-one docker container and Nexus as a artifact store. Because there is already an integrated Docker registry within Nexus, I'd like to use it.

Within the CI/CD process this already works with docker-login and scripts to push the image to the external registry.

I've learned, that Gitlab can also view the external registry.

So I've created a Key

openssl req -nodes -newkey rsa:4096 -keyout registry-auth.key -out registry-auth.csr -subj "/CN=gitlab-issuer"
openssl x509 -in registry-auth.csr -out registry-auth.crt -req -signkey registry-auth.key -days 3650

And configured Gitlab to know about Nexus Docker registry

gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "nexus.example.com"
gitlab_rails['registry_api_url'] = "https://example.example.com/"
gitlab_rails['registry_key_path'] = "/etc/gitlab/registry-certs/registry-auth.key"
gitlab_rails['registry_issuer'] = "gitlab-issuer"
gitlab_rails['gitlab_default_projects_features_container_registry'] = true

I've also tried to set the

registry['internal_key'] = "-----BEGIN PRIVATE KEY-----\nMIIJRAIBADANBgkqhkiG9w0B...\n-----END PRIVATE KEY-----"

Because the private key in gitlab_rails['registry_key_path'] is always overwritten by registry['internal_key'].

The certificate /etc/gitlab/registry-certs/registry-auth.crt is stored within Nexus under Security/SSL Certificates.

Within Gitlab I can see a new menu point Docker Registry under Packages & Registry. But when I start to browse, it says

There are no container images stored for this project 

So - connection works, but it cannot find any manifests. At least there are already some tags etc. But Nexus request.log says

10.255.0.15 - - [18/Jul/2022:13:04:28 +0000] "GET /repository/docker-hub/v2/ HTTP/1.1" 401 - 113 13 "GitLab/15.1.2" [qtp86803781-2306]

So it isn't authenticated. But I don't know how to inform Gitlab about a Docker user nor I know how to configure Nexus to use the certificate correctly. Of course anonymous access is disabled within Nexus. Where do I need to map Gitlab users with Nexus users? Is this possible?