fix: persist gitea hosts entry + containerd registry mirror in cloud-init

manage_etc_hosts: true rewrites /etc/hosts on every VM boot, removing
the manually-added gitea entry. This broke image pulls after bare_srv_1
reboot because containerd couldn't resolve the Gitea auth token URL.

Changes:
- Add bootcmd to ensure 10.10.10.1 gitea in /etc/hosts on every boot
- Add containerd registry mirror config in write_files (was only in bootstrap)
- Add registry config_path to containerd config.toml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

modules/k8s-node/cloud-init.yaml.tftpl

@@ -6,6 +6,10 @@ hostname: ${hostname}
 manage_etc_hosts: true
 disable_root: false
 
+# Runs BEFORE runcmd, on every boot — survives manage_etc_hosts rewrite
+bootcmd:
+  - grep -q '10.10.10.1 gitea' /etc/hosts || echo '10.10.10.1 gitea' >> /etc/hosts
+
 users:
   - name: root
     ssh_authorized_keys:
@@ -34,15 +38,26 @@ write_files:
       net.bridge.bridge-nf-call-ip6tables = 1
       net.ipv4.ip_forward = 1
 
-  # containerd config — systemd cgroup driver (required for kubeadm)
+  # containerd config — systemd cgroup driver + registry mirror path
   - path: /etc/containerd/config.toml
     content: |
       version = 2
+      [plugins."io.containerd.grpc.v1.cri".registry]
+        config_path = "/etc/containerd/certs.d"
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
         runtime_type = "io.containerd.runc.v2"
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
         SystemdCgroup = true
 
+  # containerd registry mirror for Gitea (10.10.10.1:3000 via loki-tunnel)
+  - path: /etc/containerd/certs.d/10.10.10.1:3000/hosts.toml
+    content: |
+      server = "http://10.10.10.1:3000"
+
+      [host."http://10.10.10.1:3000"]
+        capabilities = ["pull", "resolve", "push"]
+        skip_verify = true
+
   # node_exporter systemd unit
   - path: /etc/systemd/system/node_exporter.service
     content: |