diff --git a/stacks/woodpecker/values.yaml b/stacks/woodpecker/values.yaml
index 2a2f8615..03e0881c 100644
--- a/stacks/woodpecker/values.yaml
+++ b/stacks/woodpecker/values.yaml
@@ -4,6 +4,17 @@ server:
     reloader.stakater.com/search: "true"
   statefulSet:
     replicaCount: 1
+  # Pin forgejo.viktorbarzin.me to the in-cluster Traefik LB so the
+  # forge-API fetch path never round-trips through Cloudflare. Without
+  # this, OAuth/HTTP requests hit 30s context-deadline timeouts on cold
+  # DNS / TLS handshakes through the WAN gateway, which fails every
+  # pipeline trigger ("could not load config from forge: context
+  # deadline exceeded"). Traefik serves the wildcard cert so SNI
+  # verification still passes.
+  hostAliases:
+    - ip: "10.0.20.200"
+      hostnames:
+        - "forgejo.viktorbarzin.me"
   image:
     registry: docker.io
     repository: woodpeckerci/woodpecker-server