## Forgejo

[forgejo](https://code.forgejo.org/forgejo-helm/forgejo-helm) configuration in [ingress](https://code.forgejo.org/forgejo-helm/forgejo-helm#ingress) for the reverse proxy (`traefik`) to route the domain and for the ACME issuer (`cert-manager`) to obtain a certificate. And in [service](https://code.forgejo.org/forgejo-helm/forgejo-helm#service) for the `ssh` port to be bound to the desired IPs of the load balancer (`metallb`).

```
ingress:
  enabled: true
  annotations:
	# https://cert-manager.io/docs/usage/ingress/#supported-annotations
	# https://github.com/cert-manager/cert-manager/issues/2239
	cert-manager.io/cluster-issuer: letsencrypt-http
	cert-manager.io/private-key-algorithm: ECDSA
	cert-manager.io/private-key-size: 384
	kubernetes.io/ingress.class: traefik
	traefik.ingress.kubernetes.io/router.entrypoints: websecure
  tls:
	- hosts:
		- t1.forgejo.org
	  secretName: tls-forgejo-t1-ingress-http
  hosts:
	- host: t1.forgejo.org
	  paths:
		- path: /
		  pathType: Prefix

service:
  http:
	type: ClusterIP
	ipFamilyPolicy: PreferDualStack
	port: 3000
  ssh:
	type: LoadBalancer
	annotations:
	  metallb.universe.tf/loadBalancerIPs: 188.40.16.47,2a01:4f8:fff2:48::2
	  metallb.universe.tf/allow-shared-ip: "key-to-share-failover"
	ipFamilyPolicy: PreferDualStack
	port: 2222
```

[Instruct the forgejo pod](https://code.forgejo.org/forgejo-helm/forgejo-helm#persistence) to use the `forgejo-data` pvc.

```yaml
persistence:
  enabled: true
  create: false
  claimName: forgejo-data
```