chore: Make gitea public

.gitignore

@@ -6,3 +6,5 @@ caddy/data/
 caddy/config/
 
 filebrowser/
+
+.claude/

caddy/Caddyfile

@@ -73,8 +73,44 @@ uptime.sauravdhakal.com.np {
     reverse_proxy localhost:3001
 }
 
-# Gitea — VPN only, it's your private git server
+# -----------------------------------------------
+# Gitea — DUAL MODE
+# Public: Web UI (read-only via matchers)
+# Private: Full access (SSH + push/pull via VPN)
+# -----------------------------------------------
+
+# PUBLIC Gitea Web UI
 gitea.sauravdhakal.com.np {
+    # Allow public access (no bind = all interfaces)
+
+    # Security headers
+    header {
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+
+    # Restrict dangerous endpoints on public access
+    # Block only git PUSH operations (write), allow clone (read)
+    @publicDangerous {
+        path /api/v1/repos/*/archive/*
+        path /repos/*/archive/*
+        path /*/git-receive-pack
+    }
+
+    handle @publicDangerous {
+        abort 403
+    }
+
+    # Allow everything else (UI, API read, etc)
+    reverse_proxy localhost:3000 {
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-For {remote_host}
+    }
+}
+
+# PRIVATE Gitea (Full Access via VPN)
+gitea-private.sauravdhakal.com.np {
     bind 100.81.85.182
     reverse_proxy localhost:3000
 }

services/gitea.yml

@@ -14,6 +14,11 @@ services:
       - GITEA__server__ROOT_URL=https://gitea.sauravdhakal.com.np
       - GITEA__server__SSH_DOMAIN=gitea.sauravdhakal.com.np
       - GITEA__server__SSH_PORT=2222
-      - GITEA__service__DISABLE_REGISTRATION=true   # only you use this
+      # Allow public access but disable registration
+      - GITEA__service__DISABLE_REGISTRATION=true
+      # Require login to push (read is public)
+      - GITEA__repository__DISABLE_HTTP_GIT=false
+      - GITEA__security__INSTALL_LOCK=true
     volumes:
       - /home/saurav/hetzner_self/data/gitea:/data
+