Goofed Home

Here’s the background: I’d been using Gitea for open source project hosting for a quite a while. So when the Forgejo fork started up, I thought to myself: Eh, I’ll see how that all unfolds and maybe look into it at some point. After all, Forgejo is a soft fork, so I can just switch over whenever.

But then Forgejo became a hard fork while I was busy with other stuff, and before I knew it, It seemed too late to switch unless I wanted to lose all my tickets and stuff.

Then I saw this post and read this background and decided it was time for me to switch to Forgejo, hard fork be damned.

But I’m very stubborn, and I still wanted to keep all of my Gitea data intact. So here’s what I did, and what you could do too:

Step one: Create a SQL “migration” that downgrades the Gitea database from the modern version you’re using to the last version that Forgejo supports upgrading, Gitea 1.22.6, from back when Forgejo was still a soft-ish fork. That means you’re effectively rolling back each migration from Gitea 1.25 all the way through 1.24 and 1.23.

When I did this, I used an LLM (specifically MiniMax with OpenCode) to generate the reverse mega-migration, feeding it this very outdated starting point as inspiration. But I totally understand if not everyone is comfortable with using AI. In fact, I really wasn’t either, but I figured this is a mostly mechanical one-off. If you don’t want to use AI, you can generate the reverse migration manually by combing through the migrations linked above.

I did find three mistakes the LLM made: 1. An off-by-one error in UPDATE version ... because the value should be the last migration number (298 in this case) plus one, 2. Some of the steps it generated to back out an individual migration were out of order, e.g. dropping the issue_pin table before copying data out of it, and 3. It apparently missed making one particular column (type in the review table) into an int instead of a varchar.

Once I fixed these issues (well, the ones I found ahead of time instead of after the fact), the mega-migration was ready to go.

(I’m not including the mega-migration here, because even if it worked for me, I don’t want to be responsible for people fucking up their systems if it doesn’t work for them. I’d much rather people be responsible for fucking up their own systems.)

Step two: Backup your Gitea database and files!!!

Step three: Stop Gitea and run the mega-rollback-migration against your Gitea database. This effectively downgrades the database to Gitea 1.22.6. You can optionally then deploy the Gitea 1.22.6 binary or container and start it up to poke around the Gitea web UI and verify that the downgrade worked. Then stop Gitea again.

Step four: Replace the Gitea binary or container with the last release of Forgejo to support upgrades from Gitea, Forgejo 10.0.3. Start Forgejo and try out the web UI to make sure it’s working.

Step five: Upgrade your Forgejo binary or container to the latest release of Forgejo, 14.0.3 at the time of this writing. Restart Forgejo and hopefully enjoy your newly “upgraded” instance, complete with all of your repos and ticket history!

I had like 10 repos and nothing of much value in the DB, so it was quick to create the repos and push them up.

I didn’t have any to move, so I didn’t allow for that. I’d assume not though.

Hi there, I’m looking to get into self-hosting for privacy reasons and I wanted to ask y’all: how inadvisable is it to utilize an ISP-owned router/modem? I feel like they’re able to track everything I do online with their more than likely integrated spyware.

This is the sensible comment.

We all go our own ways. Over the later years I’ve added features and with it the inevitable complexity. Self-hosting my own data has made my care more about what goes on in my network. I am not quite at the stage of adding VLAN’s but it will probably come.

Hey,

Im using openwrt with banip to only allow certain countries to access my services. Im not familiair with banip and im having issues finding documentation about it so thats why i came here.

I need to allow a certain path to allow cert-manager to get me new certificates using http challanges. If im not mistaking i have to allow the path: .well-known/acme-challenge/*.

Is their an option to allow this from any country but block all other requests?

My current config is as following:

root@OpenWrt:~# uci show | grep ban
banip.global=banip
banip.global.ban_enabled='0'
banip.global.ban_debug='0'
banip.global.ban_autodetect='1'
banip.global.ban_allowlistonly='1'
banip.global.ban_fetchcmd='curl'
banip.global.ban_protov4='1'
banip.global.ban_ifv4='wan'
banip.global.ban_protov6='1'
banip.global.ban_ifv6='wan6'
banip.global.ban_dev='eth0'
banip.global.ban_fetchretry='5'
banip.global.ban_nicelimit='0'
banip.global.ban_filelimit='1024'
banip.global.ban_deduplicate='1'
banip.global.ban_nftpriority='-100'
banip.global.ban_icmplimit='25'
banip.global.ban_synlimit='10'
banip.global.ban_udplimit='100'
banip.global.ban_nftpolicy='memory'
banip.global.ban_nftretry='5'
banip.global.ban_blockpolicy='drop'
banip.global.ban_nftloglevel='warn'
banip.global.ban_logprerouting='0'
banip.global.ban_loginbound='1'
banip.global.ban_logoutbound='0'
banip.global.ban_loglimit='100'
banip.global.ban_autoallowlist='1'
banip.global.ban_autoallowuplink='subnet'
banip.global.ban_autoblocklist='1'
banip.global.ban_country='be'
banip.global.ban_logterm='Exit before auth from' 'luci: failed login' 'error: maximum authentication attempts exceeded' 'received a suspicious remote IP .*'
banip.global.ban_vlanallow='br-lan'
banip.global.ban_allowurl='https://www.ipdeny.com/ipblocks/data/aggregated/be-aggregated.zone' 'https://www.ipdeny.com/ipv6/ipaddresses/aggregated/be-aggregated.zone'
banip.global.ban_geoip='1'
banip.global.geoip_src='dbip'
banip.global.geoip_mode='allowlist'
banip.global.ban_feeds='country:BE' 'country:BE' 'geoip:BE'
banip.global.ban_all='1'
banip.global.allow_country='BE'
banip.global.ban_feedin='country'
banip.global.ban_feed='hagezi' 'tor' 'vpn'
wireless.radio0.band='2g'
wireless.radio1.band='5g'

Thanks for your time and have a great day!

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

[Thread #174 for this comm, first seen 16th Mar 2026, 21:00] [FAQ] [Full list] [Contact] [Source code]

This can’t be achieved with banip only, it bans based on CIDR blocks at layer 3 (IP).

Hi, i’m looking for a VPN that:

• is easily deployable via a docker-compose
• has an Android App and it doesn’t drain the battery too much
• hides as regular HTTPS traffic so it’s not blockable by Firewalls. (I don’t need strong censorship resistance; it just has to work in offices and hotel WiFis.)
• Bonus: A server like caddy can also accept HTTPS traffic for some regular websites next to the VPN server.

https://github.com/TrustTunnel/TrustTunnel sounds interesting, but the PR for docker compose was closed.

Do you know something else?

Also try wireguard over port 53. Often (udp) traffic to port 53 is unblocked because it’s needed for DNS.

What is special about this setup is that it can sometimes get around captive portal wifi.

Pretty nice idea! Will try it. Thanks.

I mostly lurk here, and I know we’ve had this discussion come up a number of times since Discord’s age verification changes were announced, but I figured this video offers value for the walkthrough and comparative analysis. Like me, the video authors aren’t seasoned self-hosters, and I’ve still got a lot to learn. Stoat and Fluxer both look appealing to me for my needs, but Stoat seemingly needs self-hosted servers to route through their master server (unless I’m missing something stupid) and I replicated the 404 for Fluxer’s self-hosting documentation seen in the video, so it’s looking like I’m leaning toward a Matrix server of some kind. Hopefully everyone looking for the Discord exit ramp is closer to finding it after this video.

Same for me.

The moment I can use Docker, I’m spinning it up with Tailscale and invite those who are ready to swap.

Fingers crossed it turns out as good as we hope!

I think Matrix is the most suitable alternative. For me at least. The Element web and desktop app is almost on level with discord and on matrix.org and other popular instances you get element call too.

I am currently looking at integrating as much of my services as possible with authentik with the main requirement being authentik users being able to register an account easily via authentik through any given provider. But either I am not thorough enough or OIDC for example is simply not supported by lemmy. I cannot find anything in the docs or on any third party site. Is there something I am overlooking or is OIDC simply not supported in lemmy?

https://github.com/LemmyNet/lemmy/pull/4881/commits/e0b20cd2744aa157852968e0df984430261408cb

But it seems like it is not widely offered by pupic instances…

Ok thank you very much, I mainly just want to integrate it into my private instance ^^. Would just love to some docs for integrating it but looks like i just need to wait a bit haha. But again thank you

is this Little Bobby Tables?

Cron job too complicated, just buy one of those timed light controllers to power off the server every night for an hour.

My actual “solution” was to do nothing and just let Kubernetes restart it when it OOMs 😅

I’ve been interested in self hosting a small variety of services yet I’m so confused on where to start. What would you guys recommend for a server machine?

My main uses (and some of the services I think are appropriate for the use case) are:

• 1tb photo, video storage, push/pull (immich)
  
• 512gb total shared between downloaded music storage (navidrome) and pdf/ebook storage (calibre)—all pull only
  
• 1tb movies/tv storage on a media server (jellyfin)
• 512gb storage for random junk or whatever, plus a file transfer push/pull (syncthing..? or nextcloud?)
  
• potential basic bio website hosting (near future)
• potential email hosting (distant future)
  

anyways with that all said i have a few questions:

• what server should i buy if i want to expand storage in the future? should i just build a pc with like 3x1tb storage, or 6x1tb storage w/ redundancy? totally confused about the concept of redundancy lol
• any thoughts on the services im suggesting? especially for file transfer

Yup! Mostly symfonium since i mostly use my phone for music. Started using feishin recently for desktop use and have been really impressed with it. I csv recommend both! And they’ll both work with jellyfin or navidrome depending on which you decide to use for music

To add yet another advice: - Get a Lenovo or dell slim client (not a nuc/mini pc but the bigger version with data ports. Roughly same power but more useful hardware) - get 2*4 tb hdd for mass storage - a 500gb ssd for the os. If you have the money, maybe even 2 of them and clone them - the os is tricky. You can use proxmox, which is basically like Linux but as you have multiple vms in there you can have multiple Linux installed to take care of. Another choice would be something like truenas, casaOs, unraid etc. I can’t recommend one there, I use proxmox and its great if you like CLi/sah - to make it accessible from not home, use tailscale. You can also use a domain/dns to not have to remember ips - if you have the option, take a mother thin client or pc with same amount of storage to another location and install a backup system, like proxmox backup system. That way your data is safe. Take a look at encryption if you dong trust the other place.

• my backup server draws 15w idle and 40-50w when its working
• my home lab is drawing 30w idle and 60 under load
• its just another factor to be aware of

Have fun!

So im sorry if this is the Wrong Sub more or less tho i did wanna ask if maybe one of you also selfhosts stuff as i am particulary having Issues with iocane ^^”
Mostly in the sense of that while Installation went succesful it did give me Issues regarding being unable to reach my Website which i selfhost via Caddy :(
Gave me an Error 421 if i remember correctly and i feel very stupid and embarassed that i cant solve it on my own as it is quite annoying >.<

Looks like there’s a problem with this site
https://retro-hax.net/ sent back an error.
Error code: 421 Misdirected Request
Check to make sure you’ve typed the website address correctly.

My Caddyfile is quite Basic tho as it looks like this with iocane being outcommented right now due to the 421 Bug :P

user@retro-hax:/etc/caddy$ cat Website.caddy
retro-hax.net {
  #@read method GET HEAD
  #reverse_proxy @read 127.0.0.1:42069 {
  #  @fallback status 421
  #  handle_response @fallback
  #}

  root * /var/www/html/Website
  file_server {
    index  Home.html
  }
}

and yes i did open up Port 42069 on my Router to make sure it wasnt a Porting Issue X_X

Caddy is a proxy

Your router is almost certainly a firewall.

well without iocane https://retro-hax.net/ can be accessed but just if i do uncom,ment the iocane stuff then i just get this 421 error But iocane is running via the systemd system and started so i dont understand why it doesnt work easily >.>

While it has been a while since I have posted anything, development on VoidAuth continues! The highlight feature of this release is the ability to declare OIDC Client Apps and their properties externally, and was written by a new contributor to the project! This can be done with environment variables passed to VoidAuth, or as container labels on the services themselves. Very cool, documentation for that is here.

This release also comes with additional features like User Passkey Management, Unix Socket Support for PostgresDB, and Single Character Usernames/Names. Check out the Release Notes below:

What’s Changed

Features 🚀

• Environment Variable and Container Label Declared OIDC Clients by @MrNavaStar
• Unix Socket Connections for Postgres DB by @repomaa
• Passkey Management
• Single Character Usernames and Names

Fixes 🔧

• Trim White-Space in Form Input
• Fix Emails for Sign-in Cannot Be Longer than 32 Characters
• Fix Remember Me Not Working When Signing in with MFA

Docs 📖

• Add Vaultwarden to OIDC Guides by @lyneld

Chores🧹

• Remove Un-Used SQLite3 Dependency

I have authelia, should I switch? is this configured via ui?

It is configured mostly through UI. The separation (in my opinion) is VoidAuth configuration happens mostly through environment variables and Client/Users/Domain configuration happens in the Web UI. You can try it out and switch if you like it and think the effort of switching is worth it