diff --git a/bootstrap/argocd-config.yaml b/bootstrap/argocd-config.yaml
index ed6fd26..e80bebc 100644
--- a/bootstrap/argocd-config.yaml
+++ b/bootstrap/argocd-config.yaml
@@ -124,6 +124,13 @@ spec:
             secret: $dex.grafana.clientSecret
             redirectURIs:
               - https://grafana.makeitwork.cloud/login/generic_oauth
+          # Forgejo uses Dex as its OIDC provider via the `dex` auth source
+          # configured at install time (see operators/forgejo/application.yaml).
+          - id: forgejo
+            name: Forgejo
+            secret: $dex.forgejo.clientSecret
+            redirectURIs:
+              - https://forgejo.makeitwork.cloud/user/oauth2/dex/callback
   # RBAC with GitHub team mapping
   rbac:
     defaultPolicy: ''
diff --git a/bootstrap/secrets/github-oauth-secret.yaml b/bootstrap/secrets/github-oauth-secret.yaml
index 74098e2..37684c0 100644
--- a/bootstrap/secrets/github-oauth-secret.yaml
+++ b/bootstrap/secrets/github-oauth-secret.yaml
@@ -16,6 +16,7 @@ stringData:
     dex.github.clientSecret: ENC[AES256_GCM,data:g53ok+zuNccR47ngruY9HsXRO0JbGazW32MMduvfaim2QBKs03ATCg==,iv:QqaXEDFwKpaEC1Evdaj4j1jmJzbXpevMcYXxqLF1o8U=,tag:sAQU431fwCQH3vAYOm9O1Q==,type:str]
     dex.headlamp.clientSecret: ENC[AES256_GCM,data:iO6N04zWyzvaHcs8Bd2fIaYayDAHPonQM/0CI8wXynrH0nklrQpTBuFgCarJ5/iUbGKWKQsECEAH/yzTmqCNIg==,iv:eDlO8C0OJFSnp0d90Qgj2hJqCaa74Fw58dB/VNhFvZg=,tag:GcZdcjnSOab+LWfXgGb3lw==,type:str]
     dex.grafana.clientSecret: ENC[AES256_GCM,data:W83Zy4wsbNIUza47swtVAYjYbMiVSbLiPyBjEAj3cBHafRv4LMDtXCe/U9UWvyqMnsVdcXqsmE2FflDGQLBDcQ==,iv:nmsgCR7D35Tya0DRJZUMPtPEkElRJeqInzk4N2yMgP8=,tag:srmM2rscemUDOUjaz/fqhQ==,type:str]
+    dex.forgejo.clientSecret: ENC[AES256_GCM,data:E1Fs089ssIsMc5vnrjPbEFjsbAQQq82obeNsS7be4vklXVs37BdedTnOWiAWCrahyPoc3MqqEE3W5Rgutd63OQ==,iv:Ael18r8WxOvZSZ5wktGYQqPyege9Ybs54e2yLU7YSG0=,tag:tRkzxr2qZOwonBUMR+c7Kg==,type:str]
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
@@ -27,7 +28,7 @@ sops:
             T2dvNlRjNE1lNFVHWnJWNTA2Z2M5STgKUX9gEItGx811Wsq/GjUwe+pxyi9lt5gY
             uqKM/eXkZyz9S3HqinAhw5xiPEBokqmNcpaOHtHNgpgkhJY9YFCllQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-30T04:26:32Z"
-    mac: ENC[AES256_GCM,data:NJvT2fUOM2YXni/Di/DJv0hnKOO65sqRnU2jfI1Dur4M2HWjnJTRJTehb4UVbc1GvkLwVCi80inWmheoW3eWjfwDRR74VHKWXQBEG50fDk6AfZMrugH1c71FjbhEzkk33VYIwMn0B2OOyeH06TceXQ6pRAzVfv6nG5zZ9hpo5d4=,iv:DH9adVlZBl99Oj2KGjkEUUfPCmyohyIJ5t6OTnWNQD8=,tag:PqDm8YllKQHS7utXKLI/Iw==,type:str]
+    lastmodified: "2026-04-30T05:14:39Z"
+    mac: ENC[AES256_GCM,data:Ya/DL6Nl+L2LvDT6X/ysesBSY3C2TQpYsHd8vYcfgQPRvUx6z2hBPt7stTgMyALmMaItcxb7OJdYjgs5Hg3VlTYjH84iXyLgLcQX8DcM3Cscq4LJQWTsDmYxx/u8ebaaCXoCSEYFv1Qg8gdw4LlZCAvixmOuxgpJpevjNDgU5Fw=,iv:czbb86e4QoUwZVaY+nyImM3VYmwtADmycINhOjD0rno=,tag:Z+wqDbfOLF082SuQrntCXQ==,type:str]
     encrypted_regex: ^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.[a-z]+\.clientID|dex\.[a-z]+\.clientSecret)$
     version: 3.12.2
diff --git a/operators/forgejo/application.yaml b/operators/forgejo/application.yaml
new file mode 100644
index 0000000..14a20ac
--- /dev/null
+++ b/operators/forgejo/application.yaml
@@ -0,0 +1,66 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: forgejo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: forgejo
+  source:
+    chart: forgejo
+    repoURL: code.forgejo.org/forgejo-helm
+    targetRevision: 13.1.0
+    helm:
+      releaseName: forgejo
+      valuesObject:
+        # Enough for a single-user instance with some repos.
+        persistence:
+          enabled: true
+          size: 20Gi
+        # Single-replica is the only mode SQLite supports anyway.
+        replicaCount: 1
+        strategy:
+          type: Recreate
+        gitea:
+          # OIDC sign-in via ArgoCD's embedded Dex (`dex` auth source).
+          # The chart's init container runs `gitea admin auth add-oauth`
+          # using values pulled from the forgejo-oidc Secret (key/secret).
+          oauth:
+            - name: dex
+              provider: openidConnect
+              autoDiscoverUrl: https://argocd.makeitwork.cloud/api/dex/.well-known/openid-configuration
+              scopes: openid profile email groups
+              existingSecret: forgejo-oidc
+          config:
+            server:
+              ROOT_URL: https://forgejo.makeitwork.cloud/
+              DOMAIN: forgejo.makeitwork.cloud
+              # No SSH over the public tunnel; HTTPS git only.
+              DISABLE_SSH: true
+              START_SSH_SERVER: false
+            service:
+              # Local password auth disabled — OIDC primary.
+              ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+              ENABLE_OPENID_SIGNIN: true
+              ENABLE_OPENID_SIGNUP: true
+            openid:
+              ENABLE_OPENID_SIGNIN: true
+              ENABLE_OPENID_SIGNUP: true
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            memory: 1Gi
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - ServerSideApply=true
+      - CreateNamespace=true
diff --git a/operators/forgejo/ksops-forgejo-secrets.yaml b/operators/forgejo/ksops-forgejo-secrets.yaml
new file mode 100644
index 0000000..6b9dfcc
--- /dev/null
+++ b/operators/forgejo/ksops-forgejo-secrets.yaml
@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops-forgejo-secrets
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - oidc-secret.yaml
diff --git a/operators/forgejo/kustomization.yaml b/operators/forgejo/kustomization.yaml
new file mode 100644
index 0000000..b59026e
--- /dev/null
+++ b/operators/forgejo/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - application.yaml
+  - tunnel-binding.yaml
+generators:
+  - ksops-forgejo-secrets.yaml
diff --git a/operators/forgejo/namespace.yaml b/operators/forgejo/namespace.yaml
new file mode 100644
index 0000000..2a5181d
--- /dev/null
+++ b/operators/forgejo/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: forgejo
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
diff --git a/operators/forgejo/oidc-secret.yaml b/operators/forgejo/oidc-secret.yaml
new file mode 100644
index 0000000..aa9882d
--- /dev/null
+++ b/operators/forgejo/oidc-secret.yaml
@@ -0,0 +1,29 @@
+# Consumed by the Forgejo Helm chart's gitea.oauth[].existingSecret hook,
+# which expects two stringData keys: "key" (clientID) and "secret"
+# (clientSecret). Matches dex.forgejo.clientSecret in argocd-secret.
+apiVersion: v1
+kind: Secret
+metadata:
+    name: forgejo-oidc
+    namespace: forgejo
+    annotations:
+        argocd.argoproj.io/sync-wave: "0"
+type: Opaque
+stringData:
+    key: forgejo
+    secret: ENC[AES256_GCM,data:zH1yX3Qw5j55knU468o4DOiiJaqNpLLUNLuCtbN17Q92NCjAxNoyl8N9+EXhYj3i2fQ2wWv7CThO4hFs81dpsg==,iv:YsP+RSBfTRo64AjA8zDMHBYFu61lmMYJ0B8hFWSPwo0=,tag:lbL92JdQaMNjB3hUO5Qn4g==,type:str]
+sops:
+    age:
+        - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcUw2U1gvbWphaUVEMTA5
+            VS8wbHdVY1VtKzQ5cjJkSFJ4WEFVUVc5TEMwClhBN3dlajhvRHdnS1J2VWN4ZTZu
+            WkdLeCtoZmNTRDVTQVpOdHlzOXN2cFUKLS0tIFo2S09vUXVkanBkYXpvSVIyNHFu
+            cE9CVkR6bnR1Ly9uMEQ2dmFMUUdmK0kKhjJw7mJlSY2Zm2RNTK3hPQEOeoYp5+2G
+            E53MJEvft81m3bZC5HUpVmXslA5/6DaKIr7U3ULDt184+iYRh/dJ/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-30T05:15:38Z"
+    mac: ENC[AES256_GCM,data:n8gRWK542eUHTIvWIUUa2FD5UzgO3ikuyrGSmgAei1B34JeMW3VQ0PrsoFjOXZf94+pp6TGqDkt+SAZn9Hji80H7gYPZpuTYS8Twov8RDZUswkyRUKWgG1+UwkLGJeml5eFx3lnyFu0Xu69rFNl/7V7lVKyFB/t1Ewttu056PqA=,iv:Xjxoa1xzr38xz4HI3K2jXBA5a6tY2SEZBoF2RUiA0fU=,tag:ptr63wITVkxwTDSqv9mFWA==,type:str]
+    encrypted_regex: ^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_(GITHUB|GENERIC_OAUTH)_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.[a-z]+\.clientID|dex\.[a-z]+\.clientSecret|OIDC_CLIENT_(ID|SECRET))$
+    version: 3.12.2
diff --git a/operators/forgejo/tunnel-binding.yaml b/operators/forgejo/tunnel-binding.yaml
new file mode 100644
index 0000000..8b27dad
--- /dev/null
+++ b/operators/forgejo/tunnel-binding.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: networking.cfargotunnel.com/v1alpha1
+kind: TunnelBinding
+metadata:
+  name: forgejo
+  namespace: forgejo
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+subjects:
+  - name: forgejo-http
+    spec:
+      fqdn: forgejo.makeitwork.cloud
+      target: http://forgejo-http.forgejo.svc:3000
+tunnelRef:
+  kind: ClusterTunnel
+  name: cluster-apps
diff --git a/operators/kustomization.yaml b/operators/kustomization.yaml
index 6e9faeb..30ce061 100644
--- a/operators/kustomization.yaml
+++ b/operators/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - arc
   - cert-manager
   - cloudflare
+  - forgejo
   - grafana
   - headlamp
   - kube-prometheus-stack