From d4082985a6d845d3a5fe1d4b50d817c5c5f484d5 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 3 Mar 2026 06:56:33 -0800
Subject: [PATCH] Remove deprecated forge egress proxy from tailscale-operator

The egress proxy (tailscale-forge device) has been unused since Caddy
took over forge routing. No k8s resources reference it as a backend.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 argocd/manifests/tailscale-operator/README.md |  3 ---
 .../tailscale-operator/egress-forge.yaml      | 23 -------------------
 .../tailscale-operator/kustomization.yaml     |  1 -
 3 files changed, 27 deletions(-)
 delete mode 100644 argocd/manifests/tailscale-operator/egress-forge.yaml

diff --git a/argocd/manifests/tailscale-operator/README.md b/argocd/manifests/tailscale-operator/README.md
index ee8ce1e..dc4b009 100644
--- a/argocd/manifests/tailscale-operator/README.md
+++ b/argocd/manifests/tailscale-operator/README.md
@@ -73,7 +73,6 @@ kubectl logs -n tailscale -l app.kubernetes.io/name=operator
 | `operator.yaml` | Operator deployment, CRDs, RBAC (secret removed) |
 | `proxyclass.yaml` | ProxyClass with fully-qualified images |
 | `dnsconfig.yaml` | DNSConfig for cluster-to-tailnet name resolution |
-| `egress-forge.yaml` | Egress proxy for accessing forge on indri |
 | `secret.yaml.tpl` | 1Password template for OAuth credentials (manual) |
 | `README.md` | This file |
 
@@ -86,5 +85,3 @@ kubectl logs -n tailscale -l app.kubernetes.io/name=operator
   annotations:
     tailscale.com/proxy-class: "default"
   ```
-- The egress proxy for forge is **deprecated**. Forge is now accessible via Caddy at
-  `forge.ops.eblu.me` (HTTPS) and `forge.ops.eblu.me:2222` (SSH), which pods can reach directly.
diff --git a/argocd/manifests/tailscale-operator/egress-forge.yaml b/argocd/manifests/tailscale-operator/egress-forge.yaml
deleted file mode 100644
index 4dc982b..0000000
--- a/argocd/manifests/tailscale-operator/egress-forge.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# DEPRECATED: This egress proxy is no longer needed.
-# Forge is now accessible via Caddy at forge.ops.eblu.me (HTTPS) and
-# forge.ops.eblu.me:2222 (SSH), which pods can reach directly.
-#
-# Keeping this file for reference during migration. Remove once verified.
-#
-# Original purpose: Egress proxy to expose Forgejo (forge) to the cluster
-# See: https://tailscale.com/kb/1438/kubernetes-operator-cluster-egress
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: forge
-  namespace: tailscale
-  annotations:
-    tailscale.com/tailnet-fqdn: indri.tail8d86e.ts.net
-    tailscale.com/proxy-class: "default"
-spec:
-  type: ExternalName
-  externalName: placeholder
-  ports:
-    - port: 3001
-      targetPort: 3001
diff --git a/argocd/manifests/tailscale-operator/kustomization.yaml b/argocd/manifests/tailscale-operator/kustomization.yaml
index 09fa1b8..a14ca81 100644
--- a/argocd/manifests/tailscale-operator/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator/kustomization.yaml
@@ -7,5 +7,4 @@ namespace: tailscale
 resources:
   - ../tailscale-operator-base
   - proxygroup-ingress.yaml
-  - egress-forge.yaml
   - external-secret.yaml