Forgejo¶
Self-hosted git server with push-mirrors to GitHub. Source of truth lives in the homelab; GitHub is a downstream mirror that keeps GH-side Actions and the public-facing presence intact.
Web UI: https://git.rampancy.cloud (LAN: http://192.168.1.249:3000).
Phase 6A complete — 2026-05-04 / 2026-05-05
CT 109 live; Forgejo 11.0.13 serving at https://git.rampancy.cloud via Caddy (CT 107) with CrowdSec coverage; CF DNS token rotated; all 4 repos imported with push-mirrors back to GitHub (sync_on_commit: true); local origins flipped to Forgejo on WSL with github remote retained as fallback. Per-repo Discord webhooks deferred (single-operator setup, low signal value).
Service details¶
| Property | Value |
|---|---|
| Host | forgejo LXC (CT 109, 192.168.1.249) — see proxfold guests |
| Package | forgejo-sqlite from forgejo-contrib APT repo (channel: lts) |
| Database | SQLite under /var/lib/forgejo/ |
| Repo storage | /var/lib/forgejo/forgejo-repositories/ (LXC rootfs on rpool) |
| Reverse proxy | git.rampancy.cloud → 192.168.1.249:3000 via Caddy on CT 107 (Phase 6B) |
| Push direction | Forgejo (primary) → GitHub (mirror) per repo |
| Auth (push) | HTTPS + GitHub fine-grained PAT per mirror; no SSH exposure |
| Auth (UI) | Local accounts; Pocket-ID OIDC migration deferred to Phase 7E |
| 2FA | TOTP enforced on admin |
| Backup | Captured by pbs-daily (LXC nightly), plus the GitHub mirror as offsite copy |
Repos under Forgejo¶
All four imported via Forgejo migrate API on 2026-05-05; full history + issues + PRs + releases + wiki preserved. Per-repo push-mirror to GitHub uses a fine-grained PAT scoped Contents: Read+Write on that single repo.
| Repo | URL | GH mirror | Notes |
|---|---|---|---|
arrstack |
git.rampancy.cloud/rampancy/arrstack | yes | docs site source — Cloudflare Pages still triggers off GitHub webhook post-mirror |
homelab-ansible |
git.rampancy.cloud/rampancy/homelab-ansible | yes | infra-as-code |
mediabot |
git.rampancy.cloud/rampancy/mediabot | yes | media bot — roles/arrstack still pulls from GitHub URL via SSH deploy key (mirror keeps GH fed; switch deferred until 7E SSH-push enable) |
meat-helmet |
git.rampancy.cloud/rampancy/meat-helmet | yes | comic posters; GH-side scheduled Actions still run on cron (no push triggers in any workflow) |
Mirror operation¶
- Forgejo's per-repo push-mirror fires on each push to Forgejo (and on the configured fallback interval, default 1h homelab-wide).
- Each mirror authenticates via a fine-grained GitHub PAT scoped to that single repo with
Contents: write+Metadata: read— leak of any one PAT confines the blast radius to one repo, write-only. meat-helmetkeeps its GitHub Actions secrets (Discord webhooks, Cloudflare token) on the GH side; these are unaffected by the migration.
Fallback path¶
Forgejo down? Local clones still have github as a named remote (added during 6C). git push github <branch> keeps working until Forgejo's back. Re-sync mirrors after recovery.
Related¶
- Forgejo Setup runbook — execution checklist 6A–6D.
- Forgejo role page — Ansible role internals.
- Edge cutover — Caddy reverse proxy that fronts the service.