diff --git a/argocd/apps/cloudnative-pg.yaml b/argocd/apps/cloudnative-pg.yaml
index 30d35db..90aad8b 100644
--- a/argocd/apps/cloudnative-pg.yaml
+++ b/argocd/apps/cloudnative-pg.yaml
@@ -10,8 +10,8 @@ metadata:
 spec:
   project: default
   sources:
-    # Helm chart from forge mirror (HTTPS, public repo)
-    - repoURL: https://forge.tail8d86e.ts.net/eblume/cloudnative-pg-charts.git
+    # Helm chart from forge mirror (SSH via egress)
+    - repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/cloudnative-pg-charts.git
       targetRevision: cloudnative-pg-v0.23.0
       path: charts/cloudnative-pg
       helm:
diff --git a/argocd/apps/grafana.yaml b/argocd/apps/grafana.yaml
index de1d8ff..6db5ca6 100644
--- a/argocd/apps/grafana.yaml
+++ b/argocd/apps/grafana.yaml
@@ -13,8 +13,8 @@ metadata:
 spec:
   project: default
   sources:
-    # Helm chart from forge mirror (HTTPS, public repo)
-    - repoURL: https://forge.tail8d86e.ts.net/eblume/grafana-helm-charts.git
+    # Helm chart from forge mirror (SSH via egress)
+    - repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/grafana-helm-charts.git
       targetRevision: grafana-8.8.2
       path: charts/grafana
       helm:
diff --git a/argocd/manifests/argocd/README.md b/argocd/manifests/argocd/README.md
index 5e27c2e..42762df 100644
--- a/argocd/manifests/argocd/README.md
+++ b/argocd/manifests/argocd/README.md
@@ -5,7 +5,7 @@ GitOps continuous delivery for Kubernetes, with self-management via ArgoCD.
 ## Prerequisites
 
 - Tailscale operator deployed (see `argocd/manifests/tailscale-operator/README.md`)
-- Deploy key added to forge for SSH access to blumeops repo
+- SSH key added to Forgejo user for access to all forge repos (not a deploy key)
 
 ## Manual Bootstrap
 
@@ -28,14 +28,14 @@ kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.pas
 argocd login argocd.tail8d86e.ts.net --username admin --grpc-web
 argocd account update-password
 
-# 6. Apply repo-forge secret for SSH access to forge
+# 6. Apply repo-creds-forge credential template for SSH access to all forge repos
 PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
-kubectl create secret generic repo-forge -n argocd \
+kubectl create secret generic repo-creds-forge -n argocd \
   --from-literal=type=git \
-  --from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git' \
+  --from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/' \
   --from-literal=insecure=true \
   --from-literal=sshPrivateKey="$PRIV_KEY" && \
-kubectl label secret repo-forge -n argocd argocd.argoproj.io/secret-type=repository
+kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds
 
 # 7. Apply ArgoCD Applications (self-management + app-of-apps)
 kubectl apply -f argocd/apps/argocd.yaml
@@ -103,12 +103,13 @@ spec:
 | `kustomization.yaml` | References upstream install.yaml + local customizations |
 | `service-tailscale.yaml` | Tailscale Ingress for external access with Let's Encrypt TLS |
 | `argocd-cmd-params-cm.yaml` | Patch to disable HTTPS redirect (TLS terminates at Ingress) |
-| `repo-forge-secret.yaml.tpl` | Template documenting the forge SSH secret (manual) |
+| `repo-forge-secret.yaml.tpl` | Template for forge SSH credential template (manual) |
 | `README.md` | This file |
 
 ## Notes
 
-- **TODO:** Secrets (`repo-forge`) are not managed by ArgoCD and must be applied manually.
+- **TODO:** Secrets (`repo-creds-forge`) are not managed by ArgoCD and must be applied manually.
   Future improvement: integrate with a secrets operator (e.g., External Secrets).
+- The credential template (`repo-creds`) uses a URL prefix to match all repos under `eblume/`.
 - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination.
 - The `--grpc-web` flag is required for CLI access through the Tailscale ingress.
diff --git a/argocd/manifests/argocd/repo-forge-secret.yaml.tpl b/argocd/manifests/argocd/repo-forge-secret.yaml.tpl
index f4a2d53..e72b037 100644
--- a/argocd/manifests/argocd/repo-forge-secret.yaml.tpl
+++ b/argocd/manifests/argocd/repo-forge-secret.yaml.tpl
@@ -1,27 +1,31 @@
-# ArgoCD repository secret for forge SSH access
+# ArgoCD credential template for forge SSH access
+# This is a repo-creds (credential template) that matches ALL repos under eblume/
 #
 # IMPORTANT: Use ?ssh-format=openssh to get OpenSSH format (required by ArgoCD)
 #
+# The SSH key must be added to the Forgejo user's SSH keys (not as a deploy key)
+# so it has access to all repos owned by that user.
+#
 # Create the secret with:
 #
 #   PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
-#   kubectl create secret generic repo-forge -n argocd \
+#   kubectl create secret generic repo-creds-forge -n argocd \
 #     --from-literal=type=git \
-#     --from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git' \
+#     --from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/' \
 #     --from-literal=insecure=true \
 #     --from-literal=sshPrivateKey="$PRIV_KEY" && \
-#   kubectl label secret repo-forge -n argocd argocd.argoproj.io/secret-type=repository
+#   kubectl label secret repo-creds-forge -n argocd argocd.argoproj.io/secret-type=repo-creds
 #
 apiVersion: v1
 kind: Secret
 metadata:
-  name: repo-forge
+  name: repo-creds-forge
   namespace: argocd
   labels:
-    argocd.argoproj.io/secret-type: repository
+    argocd.argoproj.io/secret-type: repo-creds
 stringData:
   type: git
-  url: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git
+  url: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/
   insecure: "true"
   sshPrivateKey: |
     # Key from 1Password: op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key