Add Tailscale Ingress for Forge via ExternalName Service

Create forge.tail8d86e.ts.net endpoint that proxies to Forgejo on
indri:3001. Uses ExternalName Service since Forgejo runs natively
on indri (not in k8s). Tagged with flyio-target for Fly.io proxy
access via existing ACLs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

argocd/manifests/tailscale-operator/ingress-forge.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: forge-tailscale
+  namespace: tailscale
+  annotations:
+    tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
+    tailscale.com/tags: "tag:k8s,tag:flyio-target"
+spec:
+  ingressClassName: tailscale
+  defaultBackend:
+    service:
+      name: forge-external
+      port:
+        number: 3001
+  tls:
+    - hosts:
+        - forge

argocd/manifests/tailscale-operator/kustomization.yaml

@@ -8,3 +8,5 @@ resources:
   - ../tailscale-operator-base
   - proxygroup-ingress.yaml
   - external-secret.yaml
+  - svc-forge-external.yaml
+  - ingress-forge.yaml

argocd/manifests/tailscale-operator/svc-forge-external.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: forge-external
+  namespace: tailscale
+spec:
+  type: ExternalName
+  externalName: indri.tail8d86e.ts.net
+  ports:
+    - name: http
+      port: 3001
+      protocol: TCP