What you're building
A complete self-hosted developer stack: Gitea or Forgejo for Git hosting, Woodpecker CI for pipelines, a private container registry, Authentik for SSO, and Ollama with a code model as a private GitHub Copilot alternative.
Your source code never leaves your infrastructure. CI pipelines run on your hardware. Your code AI trains on nothing and sends nothing anywhere.
Gitea vs Forgejo: which one
Both are the same codebase fork. The practical difference in 2026:
Forgejo — non-profit governance, GPL license, monthly security patches, community-driven. Pick this unless you need specific Gitea Enterprise features.
Gitea — commercial entity behind it, enterprise features (SAML, advanced audit), slightly larger ecosystem. Pick this if you need SAML SSO or have existing Gitea tooling.
For a new deployment: Forgejo. For 90% of teams, there is no meaningful difference.
Installation (Docker Compose)
version: "3"
services:
forgejo:
image: codeberg.org/forgejo/forgejo:latest
container_name: forgejo
environment:
- USER_UID=1000
- USER_GID=1000
- FORGEJO__database__DB_TYPE=postgres
- FORGEJO__database__HOST=db:5432
- FORGEJO__database__NAME=forgejo
- FORGEJO__database__USER=forgejo
- FORGEJO__database__PASSWD=your-password
volumes:
- ./forgejo-data:/data
ports:
- "3000:3000"
- "2222:22"
depends_on:
- db
db:
image: postgres:16
environment:
- POSTGRES_USER=forgejo
- POSTGRES_PASSWORD=your-password
- POSTGRES_DB=forgejo
volumes:
- ./postgres-data:/var/lib/postgresql/data
Put Caddy or Nginx in front for HTTPS. Set your domain in Forgejo's app.ini ROOT_URL.
Resource requirements: Forgejo idle at ~200MB RAM. A 2 vCPU / 4GB VM handles 50+ active developers comfortably. Scale the database separately for large repositories or heavy CI load.
CI/CD: Woodpecker CI
Woodpecker CI uses GitHub Actions-compatible YAML syntax. Your existing GitHub Actions workflows run with minimal changes.
# docker-compose addition
woodpecker-server:
image: woodpeckerci/woodpecker-server:latest
environment:
- WOODPECKER_OPEN=false
- WOODPECKER_GITEA=true
- WOODPECKER_GITEA_URL=https://git.yourdomain.com
- WOODPECKER_GITEA_CLIENT=your-oauth-client-id
- WOODPECKER_GITEA_SECRET=your-oauth-secret
- WOODPECKER_AGENT_SECRET=your-agent-secret
woodpecker-agent:
image: woodpeckerci/woodpecker-agent:latest
environment:
- WOODPECKER_SERVER=woodpecker-server:9000
- WOODPECKER_AGENT_SECRET=your-agent-secret
volumes:
- /var/run/docker.sock:/var/run/docker.sock
Agents run pipelines. Run agents on your build machines — not the server. Multiple agents for parallel builds.
GitHub Actions compatibility: Woodpecker supports a subset of GitHub Actions steps natively. Most workflows migrate with small changes. The main gap: GitHub Actions marketplace steps don't work directly — you use Docker images instead.
Container Registry
Forgejo has a built-in container registry (OCI-compatible). Enable it in app.ini:
[packages]
ENABLED = true
Push images to git.yourdomain.com/your-user/your-image:tag. Authenticate with your Forgejo credentials.
For a standalone registry: Zot is a lightweight, OCI-native registry with better performance for large images.
SSO: Authentik
Authentik connects Forgejo, Woodpecker, and every other service to one login.
Create an OAuth2 provider in Authentik for Forgejo. In Forgejo's admin panel: Site Administration → Authentication Sources → OAuth2.
When SSO is configured: users log into Forgejo with their Authentik credentials. The same credentials work for Woodpecker, your internal tools, and anything else connected to Authentik.
When someone leaves: disable their Authentik account. Access revoked everywhere simultaneously.
Private Code AI
Install Ollama on a machine with a GPU. Pull a code model:
ollama pull codestral:22b # Best for most tasks, requires 14GB VRAM
ollama pull deepseek-coder:33b # Strong alternative, 20GB VRAM
ollama pull qwen2.5-coder:7b # Runs on 6GB VRAM, good for smaller GPUs
Install Continue.dev in VS Code or JetBrains. Point it at your Ollama endpoint. Your developers get code completion and chat without their code leaving your infrastructure.
For team-wide access: run Ollama on a shared server. Set OLLAMA_HOST=0.0.0.0 to bind to all interfaces (put a firewall in front). Each developer's Continue.dev connects to the shared endpoint.
What breaks
Git LFS on large repositories — Forgejo supports Git LFS but requires separate configuration for the storage backend. Large binary files (ML models, game assets, large datasets) need S3-compatible storage configured for LFS. Failing to set this up causes pushes to fail silently.
Woodpecker pipeline secrets — secrets are per-repository or per-organization. There is no global secret store. Teams with many repositories managing the same credentials (e.g., a registry password) need to set it on each repo or use organization-level secrets carefully.
Runner resource exhaustion — CI pipelines running in parallel on the same agent compete for resources. Monitor runner CPU/RAM. Add more agents before performance degrades.
Continue.dev model latency — code completion requires fast response times (<500ms) to feel natural. 7B models on CPU are too slow. You need a GPU for acceptable code completion UX.
Honest cost breakdown
Server requirements
- Forgejo + Woodpecker server: 2 vCPU, 4GB RAM, 100GB storage = €15–25/month on a VPS
- CI runners: depends on pipeline complexity. A 4 vCPU / 8GB runner handles most teams.
- Code AI GPU: RTX 4090 server (shared with other AI workloads) = €150–300/month amortized
Time investment
- Initial setup: 6–12 hours
- Ongoing: 1–2 hours/month (updates, occasional troubleshooting)
vs. GitHub Team + GitHub Copilot GitHub Team: €4/user/month. Copilot: €10/user/month. For 20 developers: €280/month. Self-hosted: €50–100/month infrastructure + your maintenance time.
Break-even depends on your hourly rate for maintenance time.
Or let PILOT run it
Developer Stack mission package — Gitea/Forgejo, CI/CD, registry, SSO, and private code AI on sovereign EU infrastructure.