[woodpecker] Persist hostAliases patch via null_resource (chart doesn't expose it)

Helm chart 3.5.1 has no `server.hostAliases` field, so the YAML
addition I made earlier was a no-op. Apply via kubectl patch in a
null_resource keyed on helm revision so it re-asserts on every
chart upgrade. Same pattern as the CoreDNS replicas/affinity patch
in stacks/technitium/.

Without this, every helm upgrade on woodpecker reverts the
hostAliases fix and the Forgejo pipeline triggers start failing
with context-deadline-exceeded again.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/woodpecker/main.tf

@@ -172,6 +172,31 @@ resource "helm_release" "woodpecker" {
   depends_on = [kubernetes_manifest.db_external_secret]
 }
 
+# Patch hostAliases onto the woodpecker-server StatefulSet — the chart 3.5.1
+# does NOT expose this field, so we have to do it after the helm release.
+# Keeps the OAuth/forge-API path off the WAN gateway (forgejo.viktorbarzin.me
+# resolves to the public IP via DNS, which round-trips through Cloudflare
+# and routinely tripped 30s context-deadline timeouts when fetching pipeline
+# config). 10.0.20.200 is the Traefik LB that fronts forgejo internally;
+# Traefik serves the *.viktorbarzin.me wildcard so SNI verification still
+# passes.
+resource "null_resource" "woodpecker_server_host_alias" {
+  triggers = {
+    helm_revision = helm_release.woodpecker.metadata[0].revision
+  }
+
+  provisioner "local-exec" {
+    command     = <<-BASH
+      set -euo pipefail
+      kubectl -n woodpecker patch statefulset/woodpecker-server --type=strategic --patch '{"spec":{"template":{"spec":{"hostAliases":[{"ip":"10.0.20.200","hostnames":["forgejo.viktorbarzin.me"]}]}}}}'
+      kubectl -n woodpecker rollout status statefulset/woodpecker-server --timeout=120s
+    BASH
+    interpreter = ["/bin/bash", "-c"]
+  }
+
+  depends_on = [helm_release.woodpecker]
+}
+
 # ClusterRoleBinding - build pods need cluster-admin to PATCH deployments across namespaces
 resource "kubernetes_cluster_role_binding" "woodpecker" {
   metadata {

stacks/woodpecker/values.yaml

@@ -4,17 +4,12 @@ server:
     reloader.stakater.com/search: "true"
   statefulSet:
     replicaCount: 1
-  # Pin forgejo.viktorbarzin.me to the in-cluster Traefik LB so the
-  # forge-API fetch path never round-trips through Cloudflare. Without
-  # this, OAuth/HTTP requests hit 30s context-deadline timeouts on cold
-  # DNS / TLS handshakes through the WAN gateway, which fails every
-  # pipeline trigger ("could not load config from forge: context
-  # deadline exceeded"). Traefik serves the wildcard cert so SNI
-  # verification still passes.
-  hostAliases:
-    - ip: "10.0.20.200"
-      hostnames:
-        - "forgejo.viktorbarzin.me"
+  # NOTE: hostAliases is NOT exposed by the woodpecker Helm chart (3.5.1 verified) —
+  # see main.tf null_resource.woodpecker_server_host_alias which applies the same
+  # via `kubectl patch` post-helm. Pinned to the in-cluster Traefik LB
+  # (10.0.20.200) so the forge-API fetch path never round-trips through
+  # Cloudflare ("context deadline exceeded" was failing every Forgejo
+  # pipeline trigger).
   image:
     registry: docker.io
     repository: woodpeckerci/woodpecker-server