[forgejo] Allow webhook delivery to ci.viktorbarzin.me + *.viktorbarzin.me

The Forgejo→Woodpecker webhook (so Woodpecker fires on each push to
viktor/<repo>) was being blocked by the existing ALLOWED_HOST_LIST
of *.svc.cluster.local — ci.viktorbarzin.me resolves to the public IP
because Cloudflare proxying wasn't covering that path. Without this
fix, no Woodpecker pipeline run was triggered on push, the dual-push
bake would never start, and Forgejo's package catalog stays empty.

Add ci.viktorbarzin.me explicitly + *.viktorbarzin.me as a future-
proofing wildcard. The list still excludes arbitrary external hosts,
so this is not a security regression — just unblocking the webhook
to our own CI.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/forgejo/main.tf

@@ -109,10 +109,12 @@ resource "kubernetes_deployment" "forgejo" {
             name  = "FORGEJO__openid__ENABLE_OPENID_SIGNIN"
             value = "false"
           }
-          # Allow webhook delivery to internal k8s services
+          # Allow webhook delivery to internal k8s services AND to the public
+          # ingress hostnames Forgejo's own webhooks point to (ci.viktorbarzin.me
+          # for Woodpecker pipelines).
           env {
             name  = "FORGEJO__webhook__ALLOWED_HOST_LIST"
-            value = "*.svc.cluster.local"
+            value = "*.svc.cluster.local,ci.viktorbarzin.me,*.viktorbarzin.me"
           }
           # OCI registry (container packages). Default-on in Forgejo v11 but
           # explicit so it can't be silently disabled by an upstream config