Migrate registry to Caddy (registry.ops.eblu.me) (#58)

## Summary
- Update all references from `registry.tail8d86e.ts.net` to `registry.ops.eblu.me`
- Remove `tailscale_serve` ansible role (no longer needed - all services migrated to Caddy)
- Update minikube containerd config for new registry URL
- Update devpi manifest, CI actions, and mise tasks

## Deployment and Testing
- [ ] Run `mise run provision-indri -- --check --diff` (dry run)
- [ ] Run `mise run provision-indri -- --tags minikube` to update containerd config
- [ ] Sync devpi ArgoCD app: `argocd app sync devpi`
- [ ] Manually remove old Tailscale serve entry: `ssh indri 'tailscale serve --service=svc:registry off'`
- [ ] Test registry access: `curl https://registry.ops.eblu.me/v2/_catalog`
- [ ] Run `mise run indri-services-check` to verify all services healthy

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/58

.forgejo/actions/build-push-image/action.yaml

@@ -28,7 +28,7 @@ inputs:
   registry:
     description: 'Registry URL'
     required: false
-    default: 'registry.tail8d86e.ts.net'
+    default: 'registry.ops.eblu.me'
   tailscale_authkey:
     description: 'Tailscale OAuth client secret for ci-gateway'
     required: true

ansible/playbooks/indri.yml

@@ -114,8 +114,6 @@
       tags: minikube_metrics
     - role: plex_metrics
       tags: plex_metrics
-    - role: tailscale_serve
-      tags: tailscale-serve
     - role: forgejo_runner
       tags: forgejo_runner
     - role: caddy

ansible/roles/minikube/tasks/main.yml

@@ -85,29 +85,29 @@
   ansible.builtin.command:
     cmd: minikube ssh --native-ssh=false "sudo mkdir -p /etc/containerd/certs.d/{{ item }}"
   loop:
-    - registry.tail8d86e.ts.net
+    - registry.ops.eblu.me
     - docker.io
     - ghcr.io
     - quay.io
   changed_when: false
   when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
 
-# Private registry (registry.tail8d86e.ts.net) - direct to zot
-- name: Check registry.tail8d86e.ts.net config
+# Private registry (registry.ops.eblu.me) - direct to zot
+- name: Check registry.ops.eblu.me config
   ansible.builtin.command:
-    cmd: minikube ssh --native-ssh=false "cat /etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml 2>/dev/null || echo ''"
+    cmd: minikube ssh --native-ssh=false "cat /etc/containerd/certs.d/registry.ops.eblu.me/hosts.toml 2>/dev/null || echo ''"
   register: minikube_registry_config
   changed_when: false
   when: minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout
 
-- name: Configure registry.tail8d86e.ts.net mirror
+- name: Configure registry.ops.eblu.me mirror
   ansible.builtin.command:
     cmd: |
       minikube ssh --native-ssh=false 'echo "server = \"http://host.minikube.internal:5050\"
 
       [host.\"http://host.minikube.internal:5050\"]
         capabilities = [\"pull\", \"resolve\", \"push\"]
-        skip_verify = true" | sudo tee /etc/containerd/certs.d/registry.tail8d86e.ts.net/hosts.toml'
+        skip_verify = true" | sudo tee /etc/containerd/certs.d/registry.ops.eblu.me/hosts.toml'
   changed_when: true
   when:
     - minikube_final_status.rc == 0 and 'Running' in minikube_final_status.stdout

ansible/roles/tailscale_serve/defaults/main.yml

@@ -1,12 +0,0 @@
----
-# Tailscale serve configuration for this host
-# Each service maps a Tailscale service name to local endpoints
-#
-# NOTE: forge has been migrated to Caddy (forge.ops.eblu.me)
-# Registry will be migrated next, then this role can be retired.
-
-tailscale_serve_services:
-  - name: svc:registry
-    https:
-      port: 443
-      upstream: http://localhost:5050

ansible/roles/tailscale_serve/meta/main.yml

@@ -1,4 +0,0 @@
----
-# Role ordering is controlled by indri.yml playbook - do not add dependencies here
-# (Ansible's tag accumulation prevents proper deduplication when using meta dependencies)
-dependencies: []

ansible/roles/tailscale_serve/tasks/main.yml

@@ -1,38 +0,0 @@
----
-- name: Get current tailscale serve status
-  ansible.builtin.command: tailscale serve status --json
-  register: tailscale_serve_status
-  changed_when: false
-
-- name: Parse serve status
-  ansible.builtin.set_fact:
-    tailscale_serve_config: "{{ ((tailscale_serve_status.stdout | default('{}', true)) | from_json).Services | default({}) }}"
-
-# Configure HTTPS if service doesn't have Web config yet
-- name: Configure HTTPS services
-  ansible.builtin.command: >
-    tailscale serve --service="{{ item.name }}"
-    --https={{ item.https.port }} {{ item.https.upstream }}
-  loop: "{{ tailscale_serve_services }}"
-  when:
-    - item.https is defined
-    - tailscale_serve_config[item.name] is not defined or tailscale_serve_config[item.name].Web is not defined
-  register: tailscale_serve_https_result
-  changed_when: true
-  failed_when: false
-
-# Configure TCP if service doesn't have the specific port configured yet
-- name: Configure TCP services
-  ansible.builtin.command: >
-    tailscale serve --service="{{ item.name }}"
-    --tcp={{ item.tcp.port }} {{ item.tcp.upstream }}
-  loop: "{{ tailscale_serve_services }}"
-  when:
-    - item.tcp is defined
-    - tailscale_serve_config[item.name] is not defined or
-      tailscale_serve_config[item.name].TCP is not defined or
-      tailscale_serve_config[item.name].TCP[item.tcp.port | string] is not defined or
-      tailscale_serve_config[item.name].TCP[item.tcp.port | string].TCPForward is not defined
-  register: tailscale_serve_tcp_result
-  changed_when: true
-  failed_when: false

argocd/manifests/devpi/statefulset.yaml

@@ -19,7 +19,7 @@ spec:
       containers:
         - name: devpi
           # TODO: Tag builds with semantic versions (e.g., v1.0.0) for reproducibility
-          image: registry.tail8d86e.ts.net/blumeops/devpi:latest
+          image: registry.ops.eblu.me/blumeops/devpi:latest
           env:
             - name: DEVPI_ROOT_PASSWORD
               valueFrom:

containers/nettest/Dockerfile

@@ -5,10 +5,10 @@
 # - Minikube pods (manual testing)
 #
 # Build:
-#   docker build -t registry.tail8d86e.ts.net/blumeops/nettest:latest .
+#   docker build -t registry.ops.eblu.me/blumeops/nettest:latest .
 #
 # Run:
-#   docker run --rm registry.tail8d86e.ts.net/blumeops/nettest:latest
+#   docker run --rm registry.ops.eblu.me/blumeops/nettest:latest
 
 FROM alpine:3.21
 

mise-tasks/container-list

@@ -3,7 +3,7 @@
 
 set -euo pipefail
 
-REGISTRY="registry.tail8d86e.ts.net"
+REGISTRY="registry.ops.eblu.me"
 CONTAINER_DIR="containers"
 
 echo "Container Images"

mise-tasks/container-tag-and-release

@@ -49,7 +49,7 @@ IMAGE="blumeops/${CONTAINER}"
 
 echo "Container: $CONTAINER"
 echo "Directory: $CONTAINER_DIR"
-echo "Image: registry.tail8d86e.ts.net/$IMAGE:$VERSION"
+echo "Image: registry.ops.eblu.me/$IMAGE:$VERSION"
 echo ""
 
 # Confirm
@@ -68,7 +68,7 @@ echo ""
 echo "Tag '$TAG' created and pushed"
 echo ""
 echo "The workflow will now build and push:"
-echo "  registry.tail8d86e.ts.net/$IMAGE:$VERSION"
+echo "  registry.ops.eblu.me/$IMAGE:$VERSION"
 echo ""
 echo "Monitor the build at:"
 echo "  https://forge.ops.eblu.me/eblume/blumeops/actions"

mise-tasks/indri-services-check

@@ -71,7 +71,7 @@ check_http "Loki" "https://loki.tail8d86e.ts.net/ready"
 check_http "Grafana" "https://grafana.tail8d86e.ts.net/api/health"
 check_http "ArgoCD" "https://argocd.tail8d86e.ts.net/healthz"
 check_http "Forgejo" "https://forge.ops.eblu.me/"
-check_http "Zot Registry" "https://registry.tail8d86e.ts.net/v2/_catalog"
+check_http "Zot Registry" "https://registry.ops.eblu.me/v2/_catalog"
 check_http "Kiwix" "https://kiwix.tail8d86e.ts.net/"
 check_http "Miniflux" "https://feed.tail8d86e.ts.net/healthcheck"
 check_http "TeslaMate" "https://tesla.tail8d86e.ts.net/"