diff --git a/templates/registry.yaml b/templates/registry.yaml
index 676b6f8..bef1915 100644
--- a/templates/registry.yaml
+++ b/templates/registry.yaml
@@ -82,11 +82,17 @@ metadata:
   labels:
     odoosky.io/component: registry
 spec:
-  type: ClusterIP
+  # NodePort, not ClusterIP. The kubelet runs on the host and can't
+  # resolve cluster DNS, so it pulls images via 127.0.0.1:<nodePort>
+  # mapped in /etc/rancher/k3s/registries.yaml. In-cluster build Jobs
+  # push to the cluster-DNS hostname, which routes through the
+  # ClusterIP. Same registry, two reachability paths.
+  type: NodePort
   ports:
     - name: http
       port: {{ .Values.registry.service.port }}
       targetPort: 5000
+      nodePort: {{ .Values.registry.service.nodePort }}
   selector:
     odoosky.io/component: registry
 {{- end }}
diff --git a/values.yaml b/values.yaml
index 8014079..283f635 100644
--- a/values.yaml
+++ b/values.yaml
@@ -19,6 +19,12 @@ registry:
   # the hostname for HTTP image pulls.
   service:
     port: 5000
+    # NodePort the kubelet on each node uses to reach the registry
+    # (via the host-side 127.0.0.1:<nodePort> mirror entry in
+    # /etc/rancher/k3s/registries.yaml). Picked outside the default
+    # 30000-32767 NodePort range's busy zone; change if the cluster
+    # already uses 30500 for something else.
+    nodePort: 30500
   # Storage. The registry survives node restarts but is recreatable —
   # if the PVC is wiped, Tower's ensureAddonImage will rebuild any
   # missing images from Gitea source on demand. So we don't need a