diff --git a/modules/docker-registry/docker-compose.yml b/modules/docker-registry/docker-compose.yml
index 687dab27..c76af6ae 100644
--- a/modules/docker-registry/docker-compose.yml
+++ b/modules/docker-registry/docker-compose.yml
@@ -89,25 +89,45 @@ services:
       retries: 3
       start_period: 10s
 
-  # registry-private removed in Phase 4 of forgejo-registry-consolidation
-  # 2026-05-07. The /v2/ private registry has migrated to Forgejo at
-  # forgejo.viktorbarzin.me/viktor/<image>. Pull-through caches for upstream
-  # registries (dockerhub, ghcr, quay, k8s, kyverno) stay on this VM.
-  # Manual decommission step on the live VM:
+  # registry-private is being kept TEMPORARILY during Phase 3+4 of
+  # forgejo-registry-consolidation 2026-05-07 — needed for the orphan-image
+  # migration script to pull images one last time before flipping the
+  # cluster off it. To remove: drop this entire block, drop the 5050:5050
+  # port mapping in nginx, and run on the live VM:
   #   ssh root@10.0.20.10 'cd /opt/registry && docker compose up -d --remove-orphans'
   # …and after 1 week of no incidents, `rm -rf /opt/registry/data/private/`.
+  registry-private:
+    image: registry:2.8.3
+    container_name: registry-private
+    restart: always
+    volumes:
+      - /opt/registry/data/private:/var/lib/registry
+      - /opt/registry/config-private.yml:/etc/docker/registry/config.yml:ro
+      - /opt/registry/htpasswd:/auth/htpasswd:ro
+    networks:
+      - registry
+    healthcheck:
+      # 401 is expected (auth required) — any HTTP response means the registry is healthy
+      test: ["CMD", "sh", "-c", "wget -qS -O /dev/null http://127.0.0.1:5000/v2/ 2>&1 | grep -q 'HTTP/'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
 
   nginx:
     image: nginx:alpine
     container_name: registry-nginx
     restart: always
-    # 5050 dropped Phase 4 of forgejo-registry-consolidation 2026-05-07.
+    # 5050 will be dropped after the migration script finishes copying images
+    # off registry-private — see Phase 4 of forgejo-registry-consolidation
+    # 2026-05-07.
     ports:
       - "5000:5000"
       - "5010:5010"
       - "5020:5020"
       - "5030:5030"
       - "5040:5040"
+      - "5050:5050"
     volumes:
       - /opt/registry/nginx.conf:/etc/nginx/nginx.conf:ro
       - /opt/registry/tls:/etc/nginx/tls:ro
@@ -125,6 +145,8 @@ services:
         condition: service_healthy
       registry-kyverno:
         condition: service_healthy
+      registry-private:
+        condition: service_healthy
     healthcheck:
       test: ["CMD", "sh", "-c", "wget -qO- http://127.0.0.1:5000/v2/ >/dev/null 2>&1"]
       interval: 30s
diff --git a/modules/docker-registry/nginx_registry.conf b/modules/docker-registry/nginx_registry.conf
index e46d9f22..24add4c7 100644
--- a/modules/docker-registry/nginx_registry.conf
+++ b/modules/docker-registry/nginx_registry.conf
@@ -33,9 +33,16 @@ http {
         keepalive 32;
     }
 
-    # `upstream private` removed in Phase 4 of forgejo-registry-consolidation
-    # 2026-05-07. The /v2/ private registry is now Forgejo at
-    # forgejo.viktorbarzin.me/viktor/.
+    # `upstream private` is being kept TEMPORARILY during Phase 3+4 of
+    # forgejo-registry-consolidation 2026-05-07 — registry-private is the
+    # source of every image we still need to migrate to Forgejo. Drop this
+    # block and the port-5050 server below in the SAME commit that runs the
+    # final `docker compose up -d --remove-orphans` to stop the
+    # registry-private container.
+    upstream private {
+        server registry-private:5000;
+        keepalive 32;
+    }
 
     # --- Docker Hub (port 5000) ---
 
@@ -167,8 +174,41 @@ http {
         }
     }
 
-    # --- Private R/W Registry (port 5050) removed Phase 4 2026-05-07 ---
-    # The TLS port 5050 server block previously fronted `registry-private`.
-    # Migrated to Forgejo at forgejo.viktorbarzin.me/viktor/. nginx no longer
-    # listens on 5050; docker-compose.yml drops the `5050:5050` port mapping.
+    # --- Private R/W Registry (port 5050, TLS) ---
+    # KEPT TEMPORARILY during Phase 3+4 of forgejo-registry-consolidation
+    # 2026-05-07 to allow the orphan-image migration script to pull images
+    # off this registry one last time. To remove: drop this server block,
+    # the upstream `private` block above, and the 5050:5050 port mapping
+    # in docker-compose.yml — all in the same commit.
+    server {
+        listen 5050 ssl;
+        server_name registry.viktorbarzin.me;
+
+        ssl_certificate /etc/nginx/tls/fullchain.pem;
+        ssl_certificate_key /etc/nginx/tls/privkey.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
+
+        client_max_body_size 0;
+        proxy_request_buffering off;
+        proxy_buffering off;
+        chunked_transfer_encoding on;
+
+        location /v2/ {
+            proxy_pass http://private;
+            proxy_http_version 1.1;
+            proxy_set_header Host $http_host;
+            proxy_set_header Connection "";
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_read_timeout 900;
+            proxy_send_timeout 900;
+        }
+
+        location / {
+            return 200 'ok';
+            add_header Content-Type text/plain;
+        }
+    }
 }