diff --git a/stacks/infra/main.tf b/stacks/infra/main.tf
index fc8c915d..2d75525a 100644
--- a/stacks/infra/main.tf
+++ b/stacks/infra/main.tf
@@ -75,9 +75,13 @@ module "k8s-node-template" {
   mkdir -p /etc/containerd/certs.d/ghcr.io
   printf 'server = "https://ghcr.io"\n\n[host."http://10.0.20.10:5010"]\n  capabilities = ["pull", "resolve"]\n' > /etc/containerd/certs.d/ghcr.io/hosts.toml
 
-  # Create hosts.toml for private registry (10.0.20.10:5050) — skip TLS verify (IP-based, wildcard cert)
+  # Create hosts.toml for private registry — both IP and hostname entries
+  # IP-based (10.0.20.10:5050): direct access, skip TLS verify (wildcard cert, no IP SAN)
   mkdir -p /etc/containerd/certs.d/10.0.20.10:5050
   printf 'server = "https://10.0.20.10:5050"\n\n[host."https://10.0.20.10:5050"]\n  capabilities = ["pull", "resolve", "push"]\n  skip_verify = true\n' > /etc/containerd/certs.d/10.0.20.10:5050/hosts.toml
+  # Hostname-based (registry.viktorbarzin.me): redirects to LAN IP to avoid Traefik round-trip
+  mkdir -p /etc/containerd/certs.d/registry.viktorbarzin.me
+  printf 'server = "https://registry.viktorbarzin.me"\n\n[host."https://10.0.20.10:5050"]\n  capabilities = ["pull", "resolve", "push"]\n  skip_verify = true\n' > /etc/containerd/certs.d/registry.viktorbarzin.me/hosts.toml
 
   # Low-traffic registries (registry.k8s.io, quay.io, reg.kyverno.io) pull directly.
   # Pull-through cache removed: caused corrupted images (truncated downloads)
diff --git a/stacks/priority-pass/main.tf b/stacks/priority-pass/main.tf
index 27f269f5..51b91143 100644
--- a/stacks/priority-pass/main.tf
+++ b/stacks/priority-pass/main.tf
@@ -47,7 +47,7 @@ resource "kubernetes_deployment" "priority-pass" {
         }
         container {
           name  = "frontend"
-          image = "10.0.20.10:5050/priority-pass-frontend:v4"
+          image = "registry.viktorbarzin.me/priority-pass-frontend:v4"
           port {
             container_port = 3000
           }
@@ -71,7 +71,7 @@ resource "kubernetes_deployment" "priority-pass" {
         }
         container {
           name  = "backend"
-          image = "10.0.20.10:5050/priority-pass-backend:v1"
+          image = "registry.viktorbarzin.me/priority-pass-backend:v1"
           port {
             container_port = 8000
           }
@@ -118,6 +118,6 @@ module "ingress" {
   namespace       = "priority-pass"
   name            = "priority-pass"
   tls_secret_name = var.tls_secret_name
-  protected       = false
+  protected       = true
   max_body_size   = "10m"
 }