diff --git a/hosts/fw/configuration.nix b/hosts/fw/configuration.nix
index 0c7af8d..5e29c0d 100644
--- a/hosts/fw/configuration.nix
+++ b/hosts/fw/configuration.nix
@@ -32,7 +32,6 @@
 
     # microvm
     ./modules/microvm.nix
-    ./modules/gitea-vm.nix
     ./modules/forgejo-runner.nix
     ./modules/dev-microvm.nix
     # ./modules/vscode-server.nix  # Add VS Code Server microvm
@@ -45,8 +44,7 @@
     ./modules/web
 
     # git
-    ./modules/gitea.nix
-    ./modules/forgejo.nix  # Migration: autoStart=false, start after migration script
+    ./modules/forgejo.nix
     # ./modules/fwmetrics.nix
 
     # ha customers
@@ -81,7 +79,7 @@
   networkPrefix = "10.42";
 
   # Systemd services to monitor
-  services.victoriametrics.monitoredServices = [ "ai-mailer" "container@git" "microvm@git-runner-" "microvm@fj-runner-" ];
+  services.victoriametrics.monitoredServices = [ "ai-mailer" "container@forgejo" "microvm@fj-runner-" ];
 
   nixpkgs.overlays = [
     (import ./utils/overlays/packages.nix)
diff --git a/hosts/fw/modules/dnsmasq.nix b/hosts/fw/modules/dnsmasq.nix
index 768f255..9e16d42 100644
--- a/hosts/fw/modules/dnsmasq.nix
+++ b/hosts/fw/modules/dnsmasq.nix
@@ -103,8 +103,7 @@
         "/mopidy.cloonar.com/${config.networkPrefix}.97.21"
         "/snapcast.cloonar.com/${config.networkPrefix}.97.21"
         "/lms.cloonar.com/${config.networkPrefix}.97.21"
-        "/git.cloonar.com/${config.networkPrefix}.97.50"
-        "/forgejo.cloonar.com/${config.networkPrefix}.97.55"
+        "/git.cloonar.com/${config.networkPrefix}.97.55"
         "/feeds.cloonar.com/188.34.191.144"
         "/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112"
         "/allywatch.cloonar.com/${config.networkPrefix}.97.5"
diff --git a/hosts/fw/modules/firewall.nix b/hosts/fw/modules/firewall.nix
index 22bc6a1..c876e13 100644
--- a/hosts/fw/modules/firewall.nix
+++ b/hosts/fw/modules/firewall.nix
@@ -118,7 +118,7 @@
               iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 tcp dport { 1883 } counter accept
 
               # Forward to git server
-              oifname "server" ip daddr ${config.networkPrefix}.97.50 tcp dport { 22 } counter accept 
+              oifname "server" ip daddr ${config.networkPrefix}.97.55 tcp dport { 22 } counter accept 
               oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept 
 
               # lan and vpn to any
@@ -167,7 +167,7 @@
             chain prerouting {
               type nat hook prerouting priority filter; policy accept;
               iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255
-              iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.50
+              iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.55
               iifname "wan" tcp dport { 80, 443 } dnat to ${config.networkPrefix}.97.5
               iifname "wan" tcp dport { 5000 } dnat to ${config.networkPrefix}.97.51
               iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to ${config.networkPrefix}.97.201
diff --git a/hosts/fw/modules/forgejo-runner.nix b/hosts/fw/modules/forgejo-runner.nix
index 06befd1..c8f93f8 100644
--- a/hosts/fw/modules/forgejo-runner.nix
+++ b/hosts/fw/modules/forgejo-runner.nix
@@ -51,7 +51,7 @@ in {
 
       services.gitea-actions-runner.instances.${runner} = {
         enable = true;
-        url = "https://forgejo.cloonar.com";
+        url = "https://git.cloonar.com";
         name = runner;
         tokenFile = "/run/secrets/forgejo-runner-token";
         labels = [
diff --git a/hosts/fw/modules/forgejo.nix b/hosts/fw/modules/forgejo.nix
index d364f72..afb4cd1 100644
--- a/hosts/fw/modules/forgejo.nix
+++ b/hosts/fw/modules/forgejo.nix
@@ -19,13 +19,12 @@ in
   users.users.forgejo = user;
   users.groups.forgejo = group;
 
-  # Reuse the existing git.cloonar.com ACME cert from gitea.nix
-  security.acme.certs."forgejo.cloonar.com" = {
+  security.acme.certs."git.cloonar.com" = {
     group = "nginx";
   };
 
   containers.forgejo = {
-    autoStart = false;  # Don't start until migration is complete
+    autoStart = true;
     ephemeral = false; # because of ssh key
     privateNetwork = true;
     hostBridge = "server";
@@ -37,8 +36,7 @@ in
         isReadOnly = false;
       };
       "/var/lib/acme/forgejo/" = {
-        # hostPath = config.security.acme.certs.${domain}.directory;
-        hostPath = config.security.acme.certs."forgejo.cloonar.com".directory;
+        hostPath = config.security.acme.certs.${domain}.directory;
         isReadOnly = true;
       };
       "/run/secrets/forgejo-mailer-password" = {
@@ -146,7 +144,6 @@ in
 
   sops.secrets.forgejo-mailer-password = {
     owner = "forgejo";
-    # restartUnits removed - would start the container even with autoStart=false
-    # Re-add after migration: restartUnits = [ "container@forgejo.service" ];
+    restartUnits = [ "container@forgejo.service" ];
   };
 }
diff --git a/hosts/fw/modules/web/proxies.nix b/hosts/fw/modules/web/proxies.nix
index 1709e39..421ea1a 100644
--- a/hosts/fw/modules/web/proxies.nix
+++ b/hosts/fw/modules/web/proxies.nix
@@ -1,13 +1,5 @@
 { config, lib, ... }: {
   services.nginx.virtualHosts."git.cloonar.com" = {
-    forceSSL = true;
-    enableACME = true;
-    acmeRoot = null;
-    locations."/" = {
-      proxyPass = "https://git.cloonar.com/";
-    };
-  };
-  services.nginx.virtualHosts."forgejo.cloonar.com" = {
     forceSSL = true;
     enableACME = true;
     acmeRoot = null;