Implement SSH passthrough mode and refactor Gitea domain configuration

Major Changes:
- Add dual SSH mode system (passthrough default, dedicated fallback)
- Refactor domain configuration to use direct specification pattern
- Fix critical fail2ban security gap in dedicated mode
- Separate HTTP and SSH domains for cleaner Git URLs

roles/gitea/tasks/main.yml

@@ -16,23 +16,30 @@
     name: gitea
     state: present
 
-# Firewall configuration - self-managed by Gitea role
-- name: Configure firewall for Gitea SSH
-  import_tasks: firewall.yml
-  tags: ['firewall']
-  when: gitea_manage_firewall | default(true)
+# SSH Mode Configuration - Conditional based on gitea_ssh_mode
+# Mode determines how Git SSH operations are handled
 
-# fail2ban protection - self-managed by Gitea role
-- name: Configure fail2ban for Gitea SSH
-  import_tasks: fail2ban.yml
-  tags: ['fail2ban', 'security']
-  when: gitea_manage_firewall | default(true)
+- name: Configure SSH passthrough mode (default)
+  import_tasks: ssh_passthrough.yml
+  when: gitea_ssh_mode == "passthrough"
+  tags: ['ssh', 'passthrough']
+
+- name: Configure SSH dedicated mode (fallback)
+  import_tasks: ssh_dedicated.yml
+  when: gitea_ssh_mode == "dedicated"
+  tags: ['ssh', 'dedicated']
 
 - name: Install Git 
   pacman:
     name: git
     state: present
 
+- name: Create Gitea group
+  group:
+    name: "{{ gitea_group }}"
+    system: yes
+    state: present
+
 - name: Create Gitea user and group
   user:
     name: "{{ gitea_user }}"
@@ -156,8 +163,8 @@
     msg: |
       ✅ Gitea Git service deployed successfully!
       
-      🌐 Web Interface: https://{{ gitea_full_domain }}
-      🔗 SSH Clone: ssh://git@{{ gitea_full_domain }}:{{ gitea_ssh_port }}
+      🌐 Web Interface: https://{{ gitea_http_domain }}
+      🔗 SSH Clone: ssh://git@{{ gitea_ssh_domain }}:{{ gitea_ssh_port }}
       📦 Local HTTP: http://127.0.0.1:{{ gitea_http_port }}
       🗄️  Database: {{ gitea_db_name }} (self-managed)