docs: document pipeline fix v3 using iptables DNAT and update workflow

Added a detailed session log explaining the replacement of `socat` with `iptables` DNAT for internal Gitea registry access in the pipeline. Updated `.gitea/workflows/docker-publish.yaml` to reflect the new approach, eliminating the need for additional packages on minimal runners.

.gitea/workflows/docker-publish.yaml

@@ -102,16 +102,15 @@ jobs:
 
       # Pangolin-Bypass: Gitea intern via HTTP erreichbar machen
       # Problem: git.mo-code.at ist extern HTTPS (Pangolin), Gitea intern läuft HTTP auf Port 3000.
-      #   Alter Fix (/etc/hosts → 10.0.0.22) scheiterte: Docker versuchte HTTPS:443, Port geschlossen.
-      # Lösung: socat proxied lokalen Port 80 → 10.0.0.22:3000
-      #          buildkitd nutzt http=true (Port 80) → socat → Gitea:3000 (kein TLS nötig)
+      # Lösung: /etc/hosts zeigt git.mo-code.at → 10.0.0.22
+      #          iptables DNAT leitet :80 → :3000 weiter (kein socat, kein Extra-Paket nötig)
+      #          buildkitd nutzt http=true (Port 80) → iptables → Gitea:3000
       - name: Registry intern auflösen (Pangolin-Bypass)
         run: |
-          which socat || sudo apt-get install -y -q socat
-          echo "127.0.0.1 git.mo-code.at" | sudo tee -a /etc/hosts
-          sudo socat TCP4-LISTEN:80,fork,reuseaddr TCP4:10.0.0.22:3000 &
-          sleep 1
-          echo "✓ Proxy aktiv: git.mo-code.at:80 → 10.0.0.22:3000"
+          echo "10.0.0.22 git.mo-code.at" | sudo tee -a /etc/hosts
+          sudo iptables -t nat -A OUTPUT -p tcp -d 10.0.0.22 --dport 80 -j DNAT --to-destination 10.0.0.22:3000
+          sudo iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.22 --dport 3000 -j MASQUERADE
+          echo "✓ DNAT aktiv: git.mo-code.at:80 → 10.0.0.22:3000"
 
       - name: Log in to the Container registry
         uses: docker/login-action@v3