From 39013db669a9e92078278ae66416ddf2ce486578 Mon Sep 17 00:00:00 2001
From: SauravDhakal <sauravdhakal121@gmail.com>
Date: Sat, 11 Apr 2026 21:16:37 +0545
Subject: [PATCH] chore: Make gitea public

---
 .gitignore         |  2 ++
 caddy/Caddyfile    | 38 +++++++++++++++++++++++++++++++++++++-
 services/gitea.yml |  7 ++++++-
 3 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 57de05a..2802682 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,5 @@ caddy/data/
 caddy/config/
 
 filebrowser/
+
+.claude/
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index b918f60..9983d13 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -73,8 +73,44 @@ uptime.sauravdhakal.com.np {
     reverse_proxy localhost:3001
 }
 
-# Gitea — VPN only, it's your private git server
+# -----------------------------------------------
+# Gitea — DUAL MODE
+# Public: Web UI (read-only via matchers)
+# Private: Full access (SSH + push/pull via VPN)
+# -----------------------------------------------
+
+# PUBLIC Gitea Web UI
 gitea.sauravdhakal.com.np {
+    # Allow public access (no bind = all interfaces)
+
+    # Security headers
+    header {
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+
+    # Restrict dangerous endpoints on public access
+    # Block only git PUSH operations (write), allow clone (read)
+    @publicDangerous {
+        path /api/v1/repos/*/archive/*
+        path /repos/*/archive/*
+        path /*/git-receive-pack
+    }
+
+    handle @publicDangerous {
+        abort 403
+    }
+
+    # Allow everything else (UI, API read, etc)
+    reverse_proxy localhost:3000 {
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-For {remote_host}
+    }
+}
+
+# PRIVATE Gitea (Full Access via VPN)
+gitea-private.sauravdhakal.com.np {
     bind 100.81.85.182
     reverse_proxy localhost:3000
 }
diff --git a/services/gitea.yml b/services/gitea.yml
index ecd905f..6d83822 100644
--- a/services/gitea.yml
+++ b/services/gitea.yml
@@ -14,6 +14,11 @@ services:
       - GITEA__server__ROOT_URL=https://gitea.sauravdhakal.com.np
       - GITEA__server__SSH_DOMAIN=gitea.sauravdhakal.com.np
       - GITEA__server__SSH_PORT=2222
-      - GITEA__service__DISABLE_REGISTRATION=true   # only you use this
+      # Allow public access but disable registration
+      - GITEA__service__DISABLE_REGISTRATION=true
+      # Require login to push (read is public)
+      - GITEA__repository__DISABLE_HTTP_GIT=false
+      - GITEA__security__INSTALL_LOCK=true
     volumes:
       - /home/saurav/hetzner_self/data/gitea:/data
+