docs: STRATEGY.md — primary git host moved to git.s8n.ru (Forgejo)

Self-hosted Forgejo + forgejo-runner on nullstone now primary.
GitHub becomes public mirror (Forgejo push-mirrors every commit
+ every 8h). 0 GH Actions minutes consumed.

Runner labels:
  ubuntu-24.04 — drop-in for existing build-iso.yml workflow
  nullstone    — privileged Fedora 43 (opt-in via runs-on: nullstone)

Deploy artifacts: ~/ai-lab/nullstone-server/forgejo/.

External TODO (parent operator owns):
  - router port-forward 222 → nullstone:222 for public SSH push
  - no-guest@file allowlist update for external web UI access

docs/STRATEGY.md

@@ -301,6 +301,26 @@ in the v0.7 spike branch only.
   `v4.9` on F44). If we follow, we get F44 for free at the same time
   upstream does.
 
+## Self-hosted git + CI (locked 2026-05-05)
+
+Primary git host moved off github.com. **Forgejo** runs on nullstone
+at `git.s8n.ru`, with **forgejo-runner** doing the build work. GH free-
+tier minute quota was hammering veilor-os iteration; we self-host now.
+
+- Primary remote: `ssh://git@192.168.0.100:222/veilor-org/veilor-os.git`
+  (Forgejo, LAN-only until router port-forward 222 → nullstone:222
+  added — TODO; or use tailnet hostname once tailscale logged in).
+- Public mirror: `https://github.com/veilor-org/veilor-os.git`. Forgejo
+  push-mirrors every commit + every 8h, so GH stays in sync without
+  consuming GH minutes.
+- Runner labels: `ubuntu-24.04` (catthehacker image — works for our
+  current build-iso.yml unmodified) and `nullstone` (privileged Fedora
+  43 container — opt-in via `runs-on: nullstone`).
+- Build cost: 0 GH minutes. Disk: ~80 GB workspace on /home/docker.
+
+Deploy artifacts: `~/ai-lab/nullstone-server/forgejo/`. Runbook in same
+dir.
+
 ## See also
 
 - `docs/THREAT-MODEL.md` — drafted, needs publish for v0.7