diff --git a/modules/k8s-node/cloud-init.yaml.tftpl b/modules/k8s-node/cloud-init.yaml.tftpl
index 748cbd7..b6eb937 100644
--- a/modules/k8s-node/cloud-init.yaml.tftpl
+++ b/modules/k8s-node/cloud-init.yaml.tftpl
@@ -6,6 +6,10 @@ hostname: ${hostname}
 manage_etc_hosts: true
 disable_root: false
 
+# Runs BEFORE runcmd, on every boot — survives manage_etc_hosts rewrite
+bootcmd:
+  - grep -q '10.10.10.1 gitea' /etc/hosts || echo '10.10.10.1 gitea' >> /etc/hosts
+
 users:
   - name: root
     ssh_authorized_keys:
@@ -34,15 +38,26 @@ write_files:
       net.bridge.bridge-nf-call-ip6tables = 1
       net.ipv4.ip_forward = 1
 
-  # containerd config — systemd cgroup driver (required for kubeadm)
+  # containerd config — systemd cgroup driver + registry mirror path
   - path: /etc/containerd/config.toml
     content: |
       version = 2
+      [plugins."io.containerd.grpc.v1.cri".registry]
+        config_path = "/etc/containerd/certs.d"
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
         runtime_type = "io.containerd.runc.v2"
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
         SystemdCgroup = true
 
+  # containerd registry mirror for Gitea (10.10.10.1:3000 via loki-tunnel)
+  - path: /etc/containerd/certs.d/10.10.10.1:3000/hosts.toml
+    content: |
+      server = "http://10.10.10.1:3000"
+
+      [host."http://10.10.10.1:3000"]
+        capabilities = ["pull", "resolve", "push"]
+        skip_verify = true
+
   # node_exporter systemd unit
   - path: /etc/systemd/system/node_exporter.service
     content: |