fix(deploy): remove broken init container, document registry push workaround

The Helm init container used /bin/RunProdServer which doesn't exist in IHP's
Nix Docker image (binary is at a Nix store path). Additionally, IHP v1.5's
RunProdServer starts the server after migrating — it never exits — so init
containers are the wrong pattern. IHP applies schema changes on startup.

Changes:
- Remove initContainers block from deployment.yaml entirely
- Set runMigrations: false as default in values.yaml
- Update RUNBOOK.md with correct skopeo push procedure (pre-fetch bearer token
  to work around Gitea's misconfigured token realm URL: port 80 vs actual 32166)
- Add note that the Nix image has no /bin/sh or /bin/RunProdServer wrapper

k3s registry auth: credentials added to /etc/rancher/k3s/registries.yaml and
iptables DNAT rule added on Railiance01 (92.205.130.254:80 → 32166) so the
ACME token realm redirect works. hub.coulomb.social DNS A record still needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

deploy/helm/inter-hub/templates/deployment.yaml

@@ -15,15 +15,6 @@ spec:
       labels:
         app: {{ .Release.Name }}
     spec:
-      initContainers:
-        {{- if .Values.runMigrations }}
-        - name: migrate
-          image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-          command: ["/bin/RunProdServer", "migrate"]
-          envFrom:
-            - secretRef:
-                name: {{ .Values.envFrom.secretRef }}
-        {{- end }}
       containers:
         - name: inter-hub
           image: {{ .Values.image.repository }}:{{ .Values.image.tag }}

deploy/helm/inter-hub/values.yaml

@@ -30,4 +30,4 @@ resources:
 envFrom:
   secretRef: inter-hub-env
 
-runMigrations: true
+runMigrations: false

deploy/railiance/RUNBOOK.md

@@ -25,15 +25,29 @@ helm upgrade --install inter-hub deploy/helm/inter-hub \
 ```bash
 ssh root@192.168.178.135
 cd /root/inter-hub
-git pull  # (requires Gitea auth — see Gitea credentials section)
-nix build .#docker --accept-flake-config --option lazy-trees false
-# Push to Gitea registry:
-skopeo copy docker-archive:result \
-  docker://92.205.130.254:32166/coulomb/inter-hub:<sha> \
-  --dest-creds "tegwick:<GITEA_TOKEN>" \
-  --dest-tls-verify=false
+# Build:
+nix build .#docker --log-format raw > /tmp/build.log 2>&1
+
+# Push — Gitea registry token realm points to gitea.coulomb.social:80 but Gitea
+# only listens on port 32166; skopeo must use a pre-fetched token:
+SHA=$(git rev-parse --short HEAD)
+SKOPEO=/nix/store/fwdagky9lfsyrgzxiq14zijcziazfdsn-skopeo-1.22.2/bin/skopeo
+TOKEN=$(curl -s \
+  "http://92.205.130.254:32166/v2/token?service=container_registry&scope=repository:coulomb/inter-hub:push,pull" \
+  -u 'tegwick:<GITEA_API_KEY>' | awk -F'"' '/token/{print $4}')
+$SKOPEO copy --insecure-policy --dest-tls-verify=false \
+  --dest-registry-token "$TOKEN" \
+  docker-archive:result \
+  docker://92.205.130.254:32166/coulomb/inter-hub:$SHA
 ```
 
+**Notes:**
+- `skopeo` is in the Nix profile but not on PATH — use the full store path above.
+- The IHP Nix Docker image has NO `/bin/RunProdServer` symlink. The binary lives at
+  `/nix/store/<hash>-inter-hub/bin/RunProdServer` (hash changes per build).
+  Use `kubectl exec deploy/inter-hub -- /nix/store/*-inter-hub/bin/RunProdServer <cmd>`
+  if a shell is not available (the Nix image has no `/bin/sh`).
+
 ## Gitea Registry Credentials
 
 The Gitea token for registry push is stored in `~/.config/tea/config.yml` on the