Implement SSH passthrough mode and refactor Gitea domain configuration

Major Changes:
- Add dual SSH mode system (passthrough default, dedicated fallback)
- Refactor domain configuration to use direct specification pattern
- Fix critical fail2ban security gap in dedicated mode
- Separate HTTP and SSH domains for cleaner Git URLs

roles/gitea/templates/gitea.caddy.j2

@@ -2,7 +2,7 @@
 # Generated by Ansible Gitea role
 # Deployed to {{ caddy_sites_enabled_dir }}/gitea.caddy
 
-{{ gitea_full_domain }} {
+{{ gitea_http_domain }} {
     # Reverse proxy to Gitea
     reverse_proxy 127.0.0.1:{{ gitea_http_port }}
 
@@ -29,4 +29,4 @@
     }
 }
 
-# Rick-Infra: Self-contained Gitea service with Caddy reverse proxy
+# Rick-Infra: Self-contained Gitea service with Caddy reverse proxy