docs: fix hosts.toml examples and improve clarity

Address review feedback from dmcgowan:
- Fix "disable push" example to use top-level capabilities field instead
  of a [host] entry (the [host] section is for mirrors, not the default endpoint)
- Fix mirror example to remove redundant [host] entry for the upstream
  registry; server already handles fallback
- Replace "internal registry only" example with a simpler correct approach:
  set server to the internal registry URL, no [host] entries needed
- Add Windows directory name format for registries with ports
- Add _default/ directory to the tree and explain its use as a global fallback
- Clarify format section: top-level fields vs [host] sections, and that
  capabilities defaults to all three if not set

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>

Author: dvdksn

content/manuals/engine/daemon/configure-registry.md

@@ -20,18 +20,22 @@ Docker Engine reads registry host configuration from the following directory:
 | Rootless mode | `~/.config/docker/certs.d/` |
 
 Create a subdirectory for each registry you want to configure. The directory
-name must match the registry host as it appears in image references:
+name must match the registry host as it appears in image references. On
+Windows, replace the colon with underscores for registries that use a
+non-standard port, since colons are not valid in Windows directory names:
 
-| Image reference                         | Directory                    |
-| --------------------------------------- | ---------------------------- |
-| `docker.io/myorg/myimage:latest`        | `docker.io/`                 |
-| `registry.example.com/myimage:latest`   | `registry.example.com/`      |
-| `registry.example.com:5000/myimage:tag` | `registry.example.com:5000/` |
+| Image reference                         | Directory (Linux)                    | Directory (Windows)           |
+| --------------------------------------- | ------------------------------------ | ----------------------------- |
+| `docker.io/myorg/myimage:latest`        | `docker.io/`                         | `docker.io\`                  |
+| `registry.example.com/myimage:latest`   | `registry.example.com/`              | `registry.example.com\`       |
+| `registry.example.com:5000/myimage:tag` | `registry.example.com:5000/`         | `registry.example.com_5000_\` |
 
 Each directory contains a `hosts.toml` file:
 
 ```text
 /etc/docker/certs.d/
+├── _default/
+│   └── hosts.toml
 ├── docker.io/
 │   └── hosts.toml
 ├── registry.example.com/
@@ -40,71 +44,78 @@ Each directory contains a `hosts.toml` file:
     └── hosts.toml
 ```
 
+The `_default/` directory is optional. If present, its `hosts.toml` settings
+apply to any registry that doesn't have its own directory. Use it to set a
+global mirror or change the default behavior for all registries.
+
 Changes to `hosts.toml` files take effect immediately, without restarting
 Docker.
 
 ## hosts.toml format
 
-Each `hosts.toml` file configures the behavior for one registry. The `server`
-field sets the upstream registry URL. The `[host]` section configures specific
-endpoints, including what operations they're allowed to perform using the
-`capabilities` field.
+Each `hosts.toml` file configures one registry. The file has two levels of
+configuration:
+
+- **Top-level fields** — apply to the registry's default endpoint (the server
+  itself). Common fields are `server`, `capabilities`, `ca`, and `skip_verify`.
+- **`[host]` sections** — configure additional endpoints such as mirrors.
+  Hosts are tried in the order listed before falling back to the `server`.
 
-Valid capabilities are:
+The `server` field sets the upstream registry URL. If omitted, Docker uses the
+registry name from the image reference.
 
-| Capability | Description          |
-| ---------- | -------------------- |
-| `pull`     | Allow pulling images |
-| `resolve`  | Allow tag resolution |
-| `push`     | Allow pushing images |
+Valid values for `capabilities` are:
+
+| Capability | Description                       |
+| ---------- | --------------------------------- |
+| `pull`     | Allow pulling images              |
+| `resolve`  | Allow resolving a tag to a digest |
+| `push`     | Allow pushing images              |
+
+If `capabilities` is not set, all three are enabled by default.
 
 ## Examples
 
 ### Disable push to a registry
 
-To prevent Docker from pushing images to a specific registry, omit `push` from
-the capabilities:
+To prevent Docker from pushing images to a specific registry, set `capabilities`
+at the top level and omit `push`:
 
 ```toml {title="/etc/docker/certs.d/docker.io/hosts.toml"}
 server = "https://registry-1.docker.io"
-
-[host."https://registry-1.docker.io"]
-  capabilities = ["pull", "resolve"]
+capabilities = ["pull", "resolve"]
 ```
 
 With this configuration, `docker pull` from Docker Hub works normally, but
 `docker push` to Docker Hub returns an error.
 
 ### Redirect pulls to a mirror
 
-To route pull traffic through a registry mirror:
+To route pull traffic through a registry mirror, add the mirror as a `[host]`
+entry. Docker tries the mirror first for pulls and falls back to the upstream
+registry if the mirror doesn't have the image.
+
+Pushes always bypass mirrors and go directly to the upstream registry because
+the mirror entry only has `pull` and `resolve` capabilities:
 
 ```toml {title="/etc/docker/certs.d/docker.io/hosts.toml"}
 server = "https://registry-1.docker.io"
 
 [host."https://mirror.example.com"]
   capabilities = ["pull", "resolve"]
-
-[host."https://registry-1.docker.io"]
-  capabilities = ["pull", "resolve", "push"]
 ```
 
-Docker tries the mirror first for pulls, and falls back to Docker Hub if the
-mirror doesn't have the image. Pushes always go to Docker Hub directly.
+### Use an internal registry
 
-### Internal registry only
-
-To restrict Docker to only push and pull from an internal registry, and block
-access to all public registries:
+To route all traffic for a registry namespace through an internal host, set
+`server` to the internal registry URL. No `[host]` entries are needed:
 
 ```toml {title="/etc/docker/certs.d/docker.io/hosts.toml"}
-server = "https://registry-1.docker.io"
-
-[host."https://registry-1.docker.io"]
-  capabilities = []
+server = "https://registry.internal.example.com"
 ```
 
-With no capabilities, all operations to that registry fail.
+With this configuration, Docker sends all push and pull operations for
+`docker.io` images to `registry.internal.example.com` instead.
 
 > [!NOTE]
 > This configuration controls behavior at the daemon level, not as a security