Forgive my ignorance as I am very new to networking. Does it not look like it is the other way around? Your certificate manager tries to connect to Let’s Encrypt and fails? Even with DNS challenges, your certificate manager has to tell Let’s Encrypt to check your DNS records somehow.
What did you not like about Headscale? I started using it recently and it seems fine so far. Works identically to Tailscale.
Oh, didn’t know Forgejo was ever intended to have federation. That’s so cool!
I run it in a rootless Podman container using Quadlets. Instead of opening the server’s ssh port, I only port-forward the container’s ssh port (e.g. 22 -> 2222). I have sign-ups enabled, since I want people to be able to contribute (or just create issues). But I have configured the server so that nobody can create a repository. They can still fork my repos and send a pull request.
I have yet to experiment with Actions. I assume the safest option would be to only enable it for my own commits, but I am not sure.
This might not be what you are looking for but in such cases I just use GParted running on a Linux Mint bootable thumb drive.
Though I don’t know if a similarly capable CLI alternative exists for headless servers.