Well, that was surprisingly easy(-ish).

Just installed Forgejo into a BSD jail running on my NAS. The package was very thoughtfully put together, called out the configuration bits I needed to fill in, and I had a Git server running on my LAN within a couple hours. After a few minutes additional work, it was speaking TLS, and had 2FA enabled.