this post was submitted on 28 Mar 2026
31 points (100.0% liked)

Selfhosted

60543 readers
307 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the link in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post. )

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

I am experimenting with using forgejo instead of GitHub for my personal projects. So far I like it, however I would like to make it available to the outside world at some point.

I was wondering what kind of traps I should avoid. The following things come to mind so far:

  • Forgejo Actions seem like a massive potential security risk, however I do not intend to enable sign up for other
  • OpenID appears to be a thing for forgejo, I do not know how it works and it seems like it would allow access to my instance even with registering disabled
  • I would put the instance behind a nginx as reverse proxy, but how do you keep bot traffic to a minimum? Anubis?

I feel like there are a ton of things I have not thought of, which is why I am holding off on making anything available without a VPN so far.

you are viewing a single comment's thread
view the rest of the comments
[–] AcornTickler@sh.itjust.works 1 points 3 months ago

I run it in a rootless Podman container using Quadlets. Instead of opening the server's ssh port, I only port-forward the container's ssh port (e.g. 22 -> 2222). I have sign-ups enabled, since I want people to be able to contribute (or just create issues). But I have configured the server so that nobody can create a repository. They can still fork my repos and send a pull request.

I have yet to experiment with Actions. I assume the safest option would be to only enable it for my own commits, but I am not sure.