Implement SSH passthrough mode and refactor Gitea domain configuration

Major Changes:
- Add dual SSH mode system (passthrough default, dedicated fallback)
- Refactor domain configuration to use direct specification pattern
- Fix critical fail2ban security gap in dedicated mode
- Separate HTTP and SSH domains for cleaner Git URLs

roles/gitea/handlers/main.yml

@@ -27,4 +27,11 @@
 - name: restart fail2ban
   systemd:
     name: fail2ban
-    state: restarted
+    state: restarted
+
+- name: restart sshd
+  systemd:
+    name: sshd
+    state: restarted
+  # Safety: only restart if not running locally
+  when: ansible_connection != 'local'