tts: pull Chatterbox from GHCR — the Forgejo-registry copy is unpullable

Viktor reports the voice still isn't from the TTS service — correct:
zero story_audio rows exist; the pod has sat in ImagePullBackOff since
the first window because the 2026-06-09 Forgejo-registry push has a
corrupt layer blob (HEAD 500s; pushed from a 94%-full disk) and identical
digests can't heal corrupt registry storage. The off-infra GHA rebuild
(tripit build-chatterbox.yml, devnen 915ae289, succeeded 03:23 UTC) now
lives in private GHCR: switch the image there, pin the upstream-sha tag,
and add the vault-backed ghcr-credentials pull secret (mirrors
stacks/tripit). tripit's drain loop has 27 narrations queued and picks
them up the moment the pod goes Ready.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

stacks/tts/main.tf

@@ -1,7 +1,11 @@
 variable "image_tag" {
-  type        = string
+  type = string
-  default     = "latest"
+  # Pinned to the devnen upstream sha the GHA build was dispatched against
-  description = "chatterbox-tts image tag. Use the 8-char git SHA in CI; :latest for local trials."
+  # (tripit .github/workflows/build-chatterbox.yml). NOT :cu128/:latest — the
+  # original Forgejo-registry push is unpullable (corrupt layer blob, 500 on
+  # HEAD), which is also why the image moved to GHCR.
+  default     = "915ae289"
+  description = "chatterbox-tts GHCR image tag (devnen upstream short sha)."
 }
 
 # ─────────────────────────────────────────────────────────────────────────────
@@ -55,7 +59,7 @@ variable "offpeak_guard_schedule" {
 locals {
   namespace = "tts"
   labels    = { app = "chatterbox-tts" }
-  image     = "forgejo.viktorbarzin.me/viktor/chatterbox-tts:${var.image_tag}"
+  image     = "ghcr.io/viktorbarzin/chatterbox-tts:${var.image_tag}"
 
   # config.yaml rendered into a ConfigMap, mounted at /app/config.yaml (the
   # server's WORKDIR is /app). Voices, reference audio and the HF model cache
@@ -268,6 +272,33 @@ resource "kubernetes_job" "models_dir_init" {
   timeouts { create = "3m" }
 }
 
+# Pull secret for the PRIVATE ghcr.io/viktorbarzin/chatterbox-tts image (built
+# off-infra by tripit's build-chatterbox.yml GHA workflow — the Forgejo registry
+# copy is unpullable, corrupt layer blob). Mirrors stacks/tripit's ghcr secret.
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
+resource "kubernetes_secret" "ghcr_credentials" {
+  metadata {
+    name      = "ghcr-credentials"
+    namespace = kubernetes_namespace.tts.metadata[0].name
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "ghcr.io" = {
+          username = "ViktorBarzin"
+          password = data.vault_kv_secret_v2.viktor.data["github_pat"]
+          auth     = base64encode("ViktorBarzin:${data.vault_kv_secret_v2.viktor.data["github_pat"]}")
+        }
+      }
+    })
+  }
+}
+
 resource "kubernetes_config_map" "chatterbox_config" {
   metadata {
     name      = "chatterbox-config"
@@ -328,6 +359,9 @@ resource "kubernetes_deployment" "chatterbox" {
         priority_class_name = "tier-2-gpu"
 
         image_pull_secrets { name = "registry-credentials" }
+        image_pull_secrets {
+          name = kubernetes_secret.ghcr_credentials.metadata[0].name
+        }
 
         container {
           name  = "chatterbox-tts"