Using runtipi traefik with DNS challenge (selfhostde) and use Forgejo & Forgejo runner
Hi all, just a quick intro of myself. I'm fairly new to runtipi and I'm pretty impressed by all your good work. I'm living in Stuttgart - Germany and in my free-time I'm doing some homelab stuff. Mainly I'm focusing on automation of OS installs (cloud-init) on my two Proxmox 2/3 node clusters (ThinClient Fujitsu S920 / AMD). I'hv setup VLANs in my network and a routing firewall for DMZ and DCLAN (servers), clients are still in the LAN of my FritzBox!. The FritzBox! is delegating the IPv6 to the subnets where my services are running. The firewall (OpenWRT on an other FritzBox! device) is routing traffic, doing DNS for all Zones.
I installed runtipi via PVE helperscripts into an LXC container in the DCLAN Zone for testing. I want to run Forgejo for GitServer and Forgejo runners for CI/CD and automation, following GitOps strategy. To complete the automation piece, it's targeted to have also Semaphore UI as an execution engine for Ansible scripts (if I fail to do this with a Forgejo runner and actions).
On runtipi I changed the local domain to meet the domain of the DCLAN and exposed Forgejo on this domain (git.mydclandomain.domain.de). My DNS provider for the domain.de is selfhost.de and my FritzBox! is using the DynDNS client to dynamically update the domains IP.
Still Forgejo is using the local Domain, which has not a complete cert-chain, so runners fail to register themself with the Forgejo server, due to X.509 certification verfication error. The runner container is build on Alpine and the CA certs are stored in /etc/ssl/certs.
My goal is to use Let's encrypt certificatates for my domain using DNS challenge and expose the Forgejo git server only to my internal network. I want to use runtipi's traefik for wildcard cert and use this for all my servers without exposing any of my internal services to public Internet. Refering to @Nicolas' post — 20.08.2025 08:55 - 3. DNS challenge. Struggling with DNS challenge (selfhost.de) and exposing Forgejo on LE certs.
I installed runtipi via PVE helperscripts into an LXC container in the DCLAN Zone for testing. I want to run Forgejo for GitServer and Forgejo runners for CI/CD and automation, following GitOps strategy. To complete the automation piece, it's targeted to have also Semaphore UI as an execution engine for Ansible scripts (if I fail to do this with a Forgejo runner and actions).
On runtipi I changed the local domain to meet the domain of the DCLAN and exposed Forgejo on this domain (git.mydclandomain.domain.de). My DNS provider for the domain.de is selfhost.de and my FritzBox! is using the DynDNS client to dynamically update the domains IP.
Still Forgejo is using the local Domain, which has not a complete cert-chain, so runners fail to register themself with the Forgejo server, due to X.509 certification verfication error. The runner container is build on Alpine and the CA certs are stored in /etc/ssl/certs.
My goal is to use Let's encrypt certificatates for my domain using DNS challenge and expose the Forgejo git server only to my internal network. I want to use runtipi's traefik for wildcard cert and use this for all my servers without exposing any of my internal services to public Internet. Refering to @Nicolas' post — 20.08.2025 08:55 - 3. DNS challenge. Struggling with DNS challenge (selfhost.de) and exposing Forgejo on LE certs.
