From a008ee4702a79529596184893c72905c917b6222 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 19 Feb 2026 08:22:00 -0800
Subject: [PATCH] Add container policy.json and registries.conf for ringtail

Minimal container config: policy.json for skopeo image pushes, and
registries.conf with unqualified search matching indri's minikube setup
(registry.ops.eblu.me, docker.io, ghcr.io, quay.io).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 nixos/ringtail/configuration.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/nixos/ringtail/configuration.nix b/nixos/ringtail/configuration.nix
index 4dfb92f..6cb0581 100644
--- a/nixos/ringtail/configuration.nix
+++ b/nixos/ringtail/configuration.nix
@@ -446,6 +446,15 @@ in
     "d /mnt/storage2 0755 eblume users -"
   ];
 
+  # Container config for skopeo (used by the forgejo runner to push images)
+  # and for unqualified image pulls via Zot pull-through cache
+  environment.etc."containers/policy.json".text = builtins.toJSON {
+    default = [{ type = "insecureAcceptAnything"; }];
+  };
+  environment.etc."containers/registries.conf".text = ''
+    unqualified-search-registries = ["registry.ops.eblu.me", "docker.io", "ghcr.io", "quay.io"]
+  '';
+
   # Forgejo Actions runner (nix container builder)
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;