Implement SSH passthrough mode and refactor Gitea domain configuration

Major Changes:
- Add dual SSH mode system (passthrough default, dedicated fallback)
- Refactor domain configuration to use direct specification pattern
- Fix critical fail2ban security gap in dedicated mode
- Separate HTTP and SSH domains for cleaner Git URLs

roles/gitea/defaults/main.yml

@@ -20,16 +20,14 @@ gitea_home: "/var/lib/gitea"
 
 # Network Configuration
 gitea_http_port: 3000
-gitea_ssh_port: 2222
 
 # =================================================================
 # Domain and Caddy Integration 
 # =================================================================
 
 # Domain setup (follows rick-infra pattern)
-gitea_subdomain: "git"
-gitea_domain: "{{ caddy_domain | default('localhost') }}"
-gitea_full_domain: "{{ gitea_subdomain }}.{{ gitea_domain }}"
+gitea_http_domain: "git.jnss.me"
+gitea_ssh_domain: "jnss.me"
 
 # Caddy integration
 caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
@@ -63,15 +61,34 @@ gitea_enable_lfs: true
 gitea_disable_registration: false
 gitea_require_signin: false
 
-# SSH settings
-gitea_start_ssh_server: true
+# =================================================================
+# SSH Mode Configuration
+# =================================================================
+
+# SSH Mode: 'passthrough' or 'dedicated'
+# - passthrough (default): Use system SSH on port 22
+#   * More secure (single SSH daemon, smaller attack surface)
+#   * Standard Git URLs (no :2222 port number needed)
+#   * System fail2ban automatically protects Git operations
+#   * Recommended for production use
+#
+# - dedicated (fallback): Run Gitea's built-in SSH server on port 2222
+#   * Complete isolation from system SSH
+#   * Independent configuration and restarts
+#   * Requires opening port 2222 in firewall
+#   * Useful for debugging or when passthrough causes issues
+gitea_ssh_mode: "passthrough"
+
+# Dynamic SSH configuration based on mode
+gitea_ssh_port: "{{ 22 if gitea_ssh_mode == 'passthrough' else 2222 }}"
+gitea_start_ssh_server: "{{ false if gitea_ssh_mode == 'passthrough' else true }}"
 
 # =================================================================
 # Firewall Configuration
 # =================================================================
 
-# Firewall management
-gitea_manage_firewall: true  # Set to false if firewall is managed externally
+# Firewall management (only opens port in dedicated mode)
+gitea_manage_firewall: "{{ true if gitea_ssh_mode == 'dedicated' else false }}"
 
 # =================================================================
 # Infrastructure Dependencies (Read-only)
@@ -91,4 +108,4 @@ postgresql_port: 5432
 # - Creates its own database and user 
 # - Deploys Caddy configuration to sites-enabled
 # - Uses native Arch Linux Gitea package
-# - Follows self-contained service pattern
+# - Follows self-contained service pattern