Add registry.lunarfront.tech: DNS-only subdomain with Let's Encrypt cert, no CF upload limit

terraform/main.tf

@@ -98,17 +98,18 @@ resource "digitalocean_firewall" "gitea" {
     source_addresses = ["${var.admin_ip}/32"]
   }
 
-  # HTTP/HTTPS — Cloudflare IPs only
+  # HTTP — Cloudflare IPs only (web UI)
   inbound_rule {
     protocol         = "tcp"
     port_range       = "80"
     source_addresses = concat(local.cloudflare_ipv4, local.cloudflare_ipv6)
   }
 
+  # HTTPS — Cloudflare IPs for proxied domains + all IPs for registry (DNS-only)
   inbound_rule {
     protocol         = "tcp"
     port_range       = "443"
-    source_addresses = concat(local.cloudflare_ipv4, local.cloudflare_ipv6)
+    source_addresses = ["0.0.0.0/0", "::/0"]
   }
 
   # Gitea SSH for git push/pull — your IP only
@@ -161,3 +162,13 @@ resource "cloudflare_record" "git_ssh" {
   ttl     = 3600
 }
 
+# DNS only — no Cloudflare proxy, for container registry (no 100MB upload limit)
+resource "cloudflare_record" "registry" {
+  zone_id = data.cloudflare_zone.main.id
+  name    = "registry"
+  type    = "A"
+  value   = digitalocean_droplet.gitea.ipv4_address
+  proxied = false
+  ttl     = 3600
+}
+