diff --git a/fleet.nix b/fleet.nix
index 2084c8b..e8a8ab5 100644
--- a/fleet.nix
+++ b/fleet.nix
@@ -51,10 +51,6 @@
       username = "nas";
       key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICS6b97LPUpr7/kWvOcI40s5e+gfbfz0I2/hAPL6zTmU";
     }
-    {
-      username = "dev";
-      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICS6b97LPUpr7/kWvOcI40s5e+gfbfz0I2/hAPL6zTmU";
-    }
 
     {
       username = "amzebs-01";
diff --git a/hosts/dev/configuration.nix b/hosts/dev/configuration.nix
index 7fcc526..bca1d31 100644
--- a/hosts/dev/configuration.nix
+++ b/hosts/dev/configuration.nix
@@ -55,18 +55,13 @@ in
   programs.zsh.enable = true;
   users.defaultUserShell = pkgs.zsh;
 
-  # Welcome message with Claude Code reminder
-  users.motd = ''
-    Welcome to dev
-
-    Claude Code: claude or cr (resume last session)
+  # Auto-attach to tmux on SSH login
+  environment.interactiveShellInit = ''
+    if [[ -n "$SSH_CONNECTION" ]] && [[ -z "$TMUX" ]]; then
+      tmux attach-session -t main 2>/dev/null || tmux new-session -s main
+    fi
   '';
 
-  # Short alias for resuming Claude sessions
-  programs.zsh.shellAliases = {
-    cr = "claude --resume";
-  };
-
   # Passwordless sudo for dominik
   security.sudo.extraRules = [{
     users = [ "dominik" ];
diff --git a/hosts/fw/configuration.nix b/hosts/fw/configuration.nix
index 5e29c0d..0c7af8d 100644
--- a/hosts/fw/configuration.nix
+++ b/hosts/fw/configuration.nix
@@ -32,6 +32,7 @@
 
     # microvm
     ./modules/microvm.nix
+    ./modules/gitea-vm.nix
     ./modules/forgejo-runner.nix
     ./modules/dev-microvm.nix
     # ./modules/vscode-server.nix  # Add VS Code Server microvm
@@ -44,7 +45,8 @@
     ./modules/web
 
     # git
-    ./modules/forgejo.nix
+    ./modules/gitea.nix
+    ./modules/forgejo.nix  # Migration: autoStart=false, start after migration script
     # ./modules/fwmetrics.nix
 
     # ha customers
@@ -79,7 +81,7 @@
   networkPrefix = "10.42";
 
   # Systemd services to monitor
-  services.victoriametrics.monitoredServices = [ "ai-mailer" "container@forgejo" "microvm@fj-runner-" ];
+  services.victoriametrics.monitoredServices = [ "ai-mailer" "container@git" "microvm@git-runner-" "microvm@fj-runner-" ];
 
   nixpkgs.overlays = [
     (import ./utils/overlays/packages.nix)
diff --git a/hosts/fw/modules/dnsmasq.nix b/hosts/fw/modules/dnsmasq.nix
index 9e16d42..768f255 100644
--- a/hosts/fw/modules/dnsmasq.nix
+++ b/hosts/fw/modules/dnsmasq.nix
@@ -103,7 +103,8 @@
         "/mopidy.cloonar.com/${config.networkPrefix}.97.21"
         "/snapcast.cloonar.com/${config.networkPrefix}.97.21"
         "/lms.cloonar.com/${config.networkPrefix}.97.21"
-        "/git.cloonar.com/${config.networkPrefix}.97.55"
+        "/git.cloonar.com/${config.networkPrefix}.97.50"
+        "/forgejo.cloonar.com/${config.networkPrefix}.97.55"
         "/feeds.cloonar.com/188.34.191.144"
         "/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112"
         "/allywatch.cloonar.com/${config.networkPrefix}.97.5"
diff --git a/hosts/fw/modules/firewall.nix b/hosts/fw/modules/firewall.nix
index c876e13..22bc6a1 100644
--- a/hosts/fw/modules/firewall.nix
+++ b/hosts/fw/modules/firewall.nix
@@ -118,7 +118,7 @@
               iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 tcp dport { 1883 } counter accept
 
               # Forward to git server
-              oifname "server" ip daddr ${config.networkPrefix}.97.55 tcp dport { 22 } counter accept 
+              oifname "server" ip daddr ${config.networkPrefix}.97.50 tcp dport { 22 } counter accept 
               oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept 
 
               # lan and vpn to any
@@ -167,7 +167,7 @@
             chain prerouting {
               type nat hook prerouting priority filter; policy accept;
               iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255
-              iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.55
+              iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.50
               iifname "wan" tcp dport { 80, 443 } dnat to ${config.networkPrefix}.97.5
               iifname "wan" tcp dport { 5000 } dnat to ${config.networkPrefix}.97.51
               iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to ${config.networkPrefix}.97.201
diff --git a/hosts/fw/modules/forgejo-runner.nix b/hosts/fw/modules/forgejo-runner.nix
index c8f93f8..06befd1 100644
--- a/hosts/fw/modules/forgejo-runner.nix
+++ b/hosts/fw/modules/forgejo-runner.nix
@@ -51,7 +51,7 @@ in {
 
       services.gitea-actions-runner.instances.${runner} = {
         enable = true;
-        url = "https://git.cloonar.com";
+        url = "https://forgejo.cloonar.com";
         name = runner;
         tokenFile = "/run/secrets/forgejo-runner-token";
         labels = [
diff --git a/hosts/fw/modules/forgejo.nix b/hosts/fw/modules/forgejo.nix
index afb4cd1..d364f72 100644
--- a/hosts/fw/modules/forgejo.nix
+++ b/hosts/fw/modules/forgejo.nix
@@ -19,12 +19,13 @@ in
   users.users.forgejo = user;
   users.groups.forgejo = group;
 
-  security.acme.certs."git.cloonar.com" = {
+  # Reuse the existing git.cloonar.com ACME cert from gitea.nix
+  security.acme.certs."forgejo.cloonar.com" = {
     group = "nginx";
   };
 
   containers.forgejo = {
-    autoStart = true;
+    autoStart = false;  # Don't start until migration is complete
     ephemeral = false; # because of ssh key
     privateNetwork = true;
     hostBridge = "server";
@@ -36,7 +37,8 @@ in
         isReadOnly = false;
       };
       "/var/lib/acme/forgejo/" = {
-        hostPath = config.security.acme.certs.${domain}.directory;
+        # hostPath = config.security.acme.certs.${domain}.directory;
+        hostPath = config.security.acme.certs."forgejo.cloonar.com".directory;
         isReadOnly = true;
       };
       "/run/secrets/forgejo-mailer-password" = {
@@ -144,6 +146,7 @@ in
 
   sops.secrets.forgejo-mailer-password = {
     owner = "forgejo";
-    restartUnits = [ "container@forgejo.service" ];
+    # restartUnits removed - would start the container even with autoStart=false
+    # Re-add after migration: restartUnits = [ "container@forgejo.service" ];
   };
 }
diff --git a/hosts/fw/modules/web/proxies.nix b/hosts/fw/modules/web/proxies.nix
index 421ea1a..1709e39 100644
--- a/hosts/fw/modules/web/proxies.nix
+++ b/hosts/fw/modules/web/proxies.nix
@@ -1,5 +1,13 @@
 { config, lib, ... }: {
   services.nginx.virtualHosts."git.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/" = {
+      proxyPass = "https://git.cloonar.com/";
+    };
+  };
+  services.nginx.virtualHosts."forgejo.cloonar.com" = {
     forceSSL = true;
     enableACME = true;
     acmeRoot = null;
diff --git a/hosts/web-arm/modules/grafana/alerting/service/services_down.nix b/hosts/web-arm/modules/grafana/alerting/service/services_down.nix
index 7172280..8d04832 100644
--- a/hosts/web-arm/modules/grafana/alerting/service/services_down.nix
+++ b/hosts/web-arm/modules/grafana/alerting/service/services_down.nix
@@ -7,9 +7,8 @@ let
     { name = "Postfix";       service = "postfix.service";                instance = "mail:9100"; }
     { name = "Dovecot";       service = "dovecot.service";                instance = "mail:9100"; }
     { name = "OpenLDAP";      service = "openldap.service";               instance = "mail:9100"; }
-    { name = "Forgejo";           service = "container@forgejo.service";       instance = "fw:9100"; }
-    { name = "Forgejo Runner 1";  service = "microvm@fj-runner-1.service";     instance = "fw:9100"; }
-    { name = "Forgejo Runner 2";  service = "microvm@fj-runner-2.service";     instance = "fw:9100"; }
+    { name = "Gitea";         service = "container@git.service";          instance = "fw:9100"; }
+    { name = "Gitea Runner";  service = "microvm@git-runner-1.service";   instance = "fw:9100"; }
     { name = "WireGuard";     service = "wireguard-wg_cloonar.service";   instance = "fw:9100"; }
     { name = "MySQL";         service = "mysql.service";                  instance = "amzebs-01:9100"; }
     { name = "Nginx";         service = "nginx.service";                  instance = "amzebs-01:9100"; }
diff --git a/hosts/web-arm/modules/prometheus.nix b/hosts/web-arm/modules/prometheus.nix
index bdd5a8f..dc70321 100644
--- a/hosts/web-arm/modules/prometheus.nix
+++ b/hosts/web-arm/modules/prometheus.nix
@@ -118,10 +118,10 @@
           description="homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}"
         }
 
-        ALERT forgejo
-        IF rate(promhttp_metric_handler_requests_total{job="forgejo", code="500"}[5m]) > 3
+        ALERT gitea
+        IF rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3
         ANNOTATIONS {
-          description="{{$labels.instance}}: forgejo instances error rate went up: {{$value}} errors in 5 minutes"
+          description="{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes"
         }
       ''
     ];
@@ -198,7 +198,7 @@
         ];
       }
       {
-        job_name = "forgejo";
+        job_name = "gitea";
         scrape_interval = "60s";
         metrics_path = "/metrics";