本文由 AI 分析生成
建立時間: 2026-03-28 來源: https://nilsnh.no/how-i-self-host-git-projects/
Summary
Nils Norman Haukås’s detailed writeup of his self-hosted Forgejo git server setup: OpenWRT router with DMZ/trusted zone network segmentation, global IPv6 addressing (eliminates NAT complexity), Synology NAS for 3-2-1 backups via SFTP, and restic for incremental off-site backup.
Nils Norman Haukås 關於自架 Forgejo Git 伺服器的詳細說明:具有 DMZ/可信區域網絡分段的 OpenWRT 路由器、全球 IPv6 地址(消除 NAT 複雜性)、Synology NAS 通過 SFTP 實現 3-2-1 備份,以及使用 restic 進行增量異地備份。
Key Points
- Network: OpenWRT on Linksys WRT1900AC ($50 used); DMZ zone for public-facing servers, trusted zone for everything else
- DMZ isolation: DMZ devices can’t initiate connections to trusted zone (unidirectional access)
- IPv6: all DMZ devices get global IPv6 addresses — eliminates NAT, no dnsmasq fiddling; devices are directly reachable by domain name
- 3-2-1 backup: Synology DS220+ as local backup target (SFTP-only user per server); third copy is off-site
- Goals: learn long-lived technologies (not hype); minimize technical debt; affordable power-efficient hardware
Insights
The IPv6 simplification point is practically important and underappreciated: with global IPv6 addresses on all DMZ devices, you can point a domain name at a device’s IPv6 address and it resolves correctly both inside and outside the network without any NAT port-forwarding rules or split-horizon DNS. This is genuinely simpler than the typical IPv4 homelab setup. The SFTP-only, quota-restricted backup user pattern is a good security practice — each server has a minimal credential that can only write to its own backup folder, limiting blast radius if a server is compromised.
Connections
Raw Excerpt
I can’t overstate how much global IPv6 addresses simplified my setup. It means I can totally skip the issue of network-area translation (NAT), and skip wrestling with dnsmasq. I can take any global IPv6 address in the DMZ, stick it behind a domain name, and have it resolve swimmingly inside and outside of the network.