diff --git a/plans/k8s-migration.md b/plans/k8s-migration.md
index 5a773cc..4650719 100644
--- a/plans/k8s-migration.md
+++ b/plans/k8s-migration.md
@@ -130,6 +130,9 @@ mise run tailnet-preview   # Review changes - should show new tag
 mise run tailnet-up        # Apply changes
 ```
 
+**Implementation Details:**
+- Also need to add `"tag:registry"` to indri's tags in `pulumi/__main__.py` (the `DeviceTags` resource), not just define it in `policy.hujson`. The policy file defines the tag ownership rules, but the device tags are managed separately in the Python code.
+
 ---
 
 ### Step 0.2: Create Tailscale Services in Admin Console (MANUAL)
@@ -140,7 +143,9 @@ mise run tailnet-up        # Apply changes
 2. Create service `registry` with:
    - Port: 443 (HTTPS)
    - Host: indri
-3. Apply tag `tag:registry` to indri if not already tagged
+
+**Implementation Details:**
+- Tag is applied to indri via Pulumi in Step 0.1, not manually in admin console.
 
 **Verification:**
 ```bash
diff --git a/pulumi/__main__.py b/pulumi/__main__.py
index 33f3d0d..3b8b817 100644
--- a/pulumi/__main__.py
+++ b/pulumi/__main__.py
@@ -52,6 +52,7 @@ indri_tags = tailscale.DeviceTags(
         "tag:loki",
         "tag:pg",
         "tag:feed",
+        "tag:registry",  # Zot container registry
     ],
 )