[woodpecker] Pin forgejo.viktorbarzin.me to in-cluster Traefik LB

Pipeline triggers from Forgejo were failing with "could not load
config from forge: context deadline exceeded" — Woodpecker's
forge-API fetch path was round-tripping through Cloudflare via the
public IP, hitting 30s deadline timeouts on cold connections. The
in-cluster path via the Traefik LB (10.0.20.200) is consistently
sub-100ms.

Same trick we use for the containerd hosts.toml redirect on each
node — Traefik serves the *.viktorbarzin.me wildcard cert so SNI
verification still passes. OAuth callbacks still use the public
hostname (correct, those come from the user's browser).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/woodpecker/values.yaml

@@ -4,6 +4,17 @@ server:
     reloader.stakater.com/search: "true"
   statefulSet:
     replicaCount: 1
+  # Pin forgejo.viktorbarzin.me to the in-cluster Traefik LB so the
+  # forge-API fetch path never round-trips through Cloudflare. Without
+  # this, OAuth/HTTP requests hit 30s context-deadline timeouts on cold
+  # DNS / TLS handshakes through the WAN gateway, which fails every
+  # pipeline trigger ("could not load config from forge: context
+  # deadline exceeded"). Traefik serves the wildcard cert so SNI
+  # verification still passes.
+  hostAliases:
+    - ip: "10.0.20.200"
+      hostnames:
+        - "forgejo.viktorbarzin.me"
   image:
     registry: docker.io
     repository: woodpeckerci/woodpecker-server