Fix forge ExternalName → ClusterIP+Endpoints for Tailscale Ingress

The Tailscale ingress operator requires backends with a ClusterIP.
ExternalName services don't have one, causing "invalid ClusterIP"
errors. Replace with a headless Service + manual Endpoints pointing
to indri's Tailscale IP (100.98.163.89).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

argocd/manifests/tailscale-operator/svc-forge-external.yaml

@@ -1,13 +1,28 @@
 ---
+# Headless service + manual Endpoints to route to Forgejo on indri.
+# ExternalName services don't have a ClusterIP, which the Tailscale
+# ingress operator requires. This pattern creates a real ClusterIP
+# that forwards to indri's Tailscale IP.
 apiVersion: v1
 kind: Service
 metadata:
   name: forge-external
   namespace: tailscale
 spec:
-  type: ExternalName
-  externalName: indri.tail8d86e.ts.net
   ports:
     - name: http
       port: 3001
       protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: forge-external
+  namespace: tailscale
+subsets:
+  - addresses:
+      - ip: 100.98.163.89
+    ports:
+      - name: http
+        port: 3001
+        protocol: TCP