From 3f3467cb1357649d7b07dd9d892f44f964882f12 Mon Sep 17 00:00:00 2001
From: Roger Oriol <rogi23696@gmail.com>
Date: Sat, 27 Jun 2026 11:46:53 +0200
Subject: [PATCH] gitea registry ingress

---
 gitea/registry-ingress.yaml         | 42 +++++++++++++++++++++++++++++
 platform-engineer/build-and-push.sh | 39 ++++++++++++++++++++-------
 platform-engineer/deployment.yaml   |  4 +--
 3 files changed, 73 insertions(+), 12 deletions(-)
 create mode 100644 gitea/registry-ingress.yaml
 mode change 100644 => 100755 platform-engineer/build-and-push.sh

diff --git a/gitea/registry-ingress.yaml b/gitea/registry-ingress.yaml
new file mode 100644
index 0000000..9814c6a
--- /dev/null
+++ b/gitea/registry-ingress.yaml
@@ -0,0 +1,42 @@
+# Dedicated DNS-only hostname for the Gitea container registry.
+#
+# WHY: Docker registry pushes can't go through the Cloudflare proxy, which caps
+# request bodies at 100 MB (413 Payload Too Large). `registry.rogi.casa` is a
+# DNS-only (grey-cloud) record in Cloudflare pointing straight at the cluster,
+# so Traefik serves it directly with a Let's Encrypt cert (HTTP-01). Git traffic
+# on `git.rogi.casa` stays behind the Cloudflare proxy untouched.
+#
+# Cloudflare setup:
+#   A    registry.rogi.casa   <cluster-public-IP>   DNS-only (grey cloud)
+#
+# Push with:
+#   docker login registry.rogi.casa -u <gitea-user>
+#   docker tag git.rogi.casa/roger/hermes-agent:v1.35-1 registry.rogi.casa/roger/hermes-agent:v1.35-1
+#   docker push registry.rogi.casa/roger/hermes-agent:v1.35-1
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-registry
+  namespace: gitea
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    # Allow large docker layer uploads (no upstream body-size cap from Traefik).
+    traefik.ingress.kubernetes.io/buffering: |
+      maxRequestBodyBytes: 0
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - registry.rogi.casa
+    secretName: gitea-registry-tls
+  rules:
+  - host: registry.rogi.casa
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: gitea
+            port:
+              number: 80
diff --git a/platform-engineer/build-and-push.sh b/platform-engineer/build-and-push.sh
old mode 100644
new mode 100755
index c9599cb..98faec1
--- a/platform-engineer/build-and-push.sh
+++ b/platform-engineer/build-and-push.sh
@@ -1,24 +1,43 @@
 #!/usr/bin/env bash
-# Build & push the derived Hermes image (kubectl + helm) to the Gitea registry.
+# Build & push the derived Hermes image (kubectl + helm).
 #
-# Run this on a machine with docker + access to git.rogi.casa:
-#   ./platform-engineer/build-and-push.sh
+# Two modes:
+#   ./build-and-push.sh push    # build + push to the Gitea registry
+#   ./build-and-push.sh local   # build + import directly into the NUC's k3s containerd
+#                               # (no registry needed; pod is pinned to this node)
 #
-# Prereqs:
-#   - docker login git.rogi.casa  (use your Gitea username + access token)
+# Default (no arg): push.
 set -euo pipefail
 
-REGISTRY="git.rogi.casa"
+# Docker registry pushes can't go through the Cloudflare proxy (100 MB cap),
+# so push to the DNS-only registry hostname instead of git.rogi.casa.
+# Override with: REGISTRY=git.rogi.casa ./build-and-push.sh push   (if grey-clouded)
+REGISTRY="${REGISTRY:-registry.rogi.casa}"
 REPO="roger/hermes-agent"
 TAG="${TAG:-v1.35-1}"
 IMAGE="${REGISTRY}/${REPO}:${TAG}"
+MODE="${1:-push}"
 
 cd "$(dirname "$0")"
 
 echo "==> Building ${IMAGE}"
 docker build --platform linux/amd64 -t "${IMAGE}" -f dockerfile .
 
-echo "==> Pushing ${IMAGE}"
-docker push "${IMAGE}"
-
-echo "==> Done. Update platform-engineer/deployment.yaml image: if you changed TAG."
+case "$MODE" in
+  push)
+    echo "==> Pushing ${IMAGE}"
+    docker push "${IMAGE}"
+    echo "==> Done. If the pod can't pull, create the gitea-registry secret in the namespace."
+    ;;
+  local)
+    # Requires k3s + being run on the node the pod schedules to (roger-nucbox-evo-x2).
+    echo "==> Importing into k3s containerd (requires sudo)"
+    docker save "${IMAGE}" | sudo k3s ctr images import -
+    echo "==> Done. Verify: sudo k3s ctr images ls | grep hermes-agent"
+    echo "    deployment.yaml is set to imagePullPolicy: IfNotPresent"
+    ;;
+  *)
+    echo "Usage: $0 {push|local}" >&2
+    exit 1
+    ;;
+esac
diff --git a/platform-engineer/deployment.yaml b/platform-engineer/deployment.yaml
index 8fe3de8..546aa80 100644
--- a/platform-engineer/deployment.yaml
+++ b/platform-engineer/deployment.yaml
@@ -68,8 +68,8 @@ spec:
 
       containers:
       - name: hermes
-        image: git.rogi.casa/roger/hermes-agent:v1.35-1
-        imagePullPolicy: Always
+        image: registry.rogi.casa/roger/hermes-agent:v1.35-1
+        imagePullPolicy: IfNotPresent   # falls back to local image if present
         command: ["gateway", "run"]
         ports:
         - name: gateway