From b49ff9f8219985ba111fe3868441fdd58efe8a80 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 3 Mar 2026 07:51:28 -0800
Subject: [PATCH] Add Tailscale Ingress for Forge via ExternalName Service

Create forge.tail8d86e.ts.net endpoint that proxies to Forgejo on
indri:3001. Uses ExternalName Service since Forgejo runs natively
on indri (not in k8s). Tagged with flyio-target for Fly.io proxy
access via existing ACLs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../tailscale-operator/ingress-forge.yaml     | 20 +++++++++++++++++++
 .../tailscale-operator/kustomization.yaml     |  2 ++
 .../svc-forge-external.yaml                   | 13 ++++++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 argocd/manifests/tailscale-operator/ingress-forge.yaml
 create mode 100644 argocd/manifests/tailscale-operator/svc-forge-external.yaml

diff --git a/argocd/manifests/tailscale-operator/ingress-forge.yaml b/argocd/manifests/tailscale-operator/ingress-forge.yaml
new file mode 100644
index 0000000..047b59d
--- /dev/null
+++ b/argocd/manifests/tailscale-operator/ingress-forge.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: forge-tailscale
+  namespace: tailscale
+  annotations:
+    tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
+    tailscale.com/tags: "tag:k8s,tag:flyio-target"
+spec:
+  ingressClassName: tailscale
+  defaultBackend:
+    service:
+      name: forge-external
+      port:
+        number: 3001
+  tls:
+    - hosts:
+        - forge
diff --git a/argocd/manifests/tailscale-operator/kustomization.yaml b/argocd/manifests/tailscale-operator/kustomization.yaml
index a14ca81..b38ee05 100644
--- a/argocd/manifests/tailscale-operator/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator/kustomization.yaml
@@ -8,3 +8,5 @@ resources:
   - ../tailscale-operator-base
   - proxygroup-ingress.yaml
   - external-secret.yaml
+  - svc-forge-external.yaml
+  - ingress-forge.yaml
diff --git a/argocd/manifests/tailscale-operator/svc-forge-external.yaml b/argocd/manifests/tailscale-operator/svc-forge-external.yaml
new file mode 100644
index 0000000..2812acf
--- /dev/null
+++ b/argocd/manifests/tailscale-operator/svc-forge-external.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: forge-external
+  namespace: tailscale
+spec:
+  type: ExternalName
+  externalName: indri.tail8d86e.ts.net
+  ports:
+    - name: http
+      port: 3001
+      protocol: TCP