chore: Make gitea public

caddy/Caddyfile

@@ -73,8 +73,44 @@ uptime.sauravdhakal.com.np {
     reverse_proxy localhost:3001
 }
 
-# Gitea — VPN only, it's your private git server
+# -----------------------------------------------
+# Gitea — DUAL MODE
+# Public: Web UI (read-only via matchers)
+# Private: Full access (SSH + push/pull via VPN)
+# -----------------------------------------------
+
+# PUBLIC Gitea Web UI
 gitea.sauravdhakal.com.np {
+    # Allow public access (no bind = all interfaces)
+
+    # Security headers
+    header {
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+
+    # Restrict dangerous endpoints on public access
+    # Block only git PUSH operations (write), allow clone (read)
+    @publicDangerous {
+        path /api/v1/repos/*/archive/*
+        path /repos/*/archive/*
+        path /*/git-receive-pack
+    }
+
+    handle @publicDangerous {
+        abort 403
+    }
+
+    # Allow everything else (UI, API read, etc)
+    reverse_proxy localhost:3000 {
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-For {remote_host}
+    }
+}
+
+# PRIVATE Gitea (Full Access via VPN)
+gitea-private.sauravdhakal.com.np {
     bind 100.81.85.182
     reverse_proxy localhost:3000
 }