Update README.md
This commit is contained in:
@@ -69,13 +69,13 @@ A self-hosted Gitea instance running on a home server, made publicly accessible
|
||||
## Design Decisions
|
||||
|
||||
**WireGuard over Tailscale/Headscale**
|
||||
Only two endpoints with a fixed public IP on the VPS side – a simple point-to-point WireGuard tunnel is sufficient. No need for mesh networking, NAT traversal, or a coordination server. Tailscale/Headscale can be added later if the setup grows.
|
||||
Only two endpoints with a fixed public IP on the VPS side - a simple point-to-point WireGuard tunnel is sufficient. No need for mesh networking, NAT traversal, or a coordination server. Tailscale/Headscale can be added later if the setup grows.
|
||||
|
||||
**Caddy over NGINX**
|
||||
Caddy provides automatic TLS certificate provisioning and renewal with zero configuration. The entire reverse proxy config is 6 lines.
|
||||
|
||||
**Reverse Proxy in separate LXC**
|
||||
Keeps the proxy isolated from both the hypervisor and the application. Adding new services only requires editing the Caddyfile – no changes to the VPS or tunnel needed.
|
||||
Keeps the proxy isolated from both the hypervisor and the application. Adding new services only requires editing the Caddyfile - no changes to the VPS or tunnel needed.
|
||||
|
||||
**TLS termination at home, not on VPS**
|
||||
The VPS only forwards encrypted traffic. TLS is terminated by Caddy in the home network, keeping certificate management local and the VPS stateless.
|
||||
@@ -97,7 +97,7 @@ No changes to the VPS, tunnel, or firewall needed.
|
||||
|
||||
## Security
|
||||
|
||||
- VPS has no application logic – it only forwards traffic
|
||||
- VPS has no application logic - it only forwards traffic
|
||||
- WireGuard provides authenticated, encrypted communication between sites
|
||||
- TLS certificates are automatically managed by Caddy (Let's Encrypt)
|
||||
- Gitea is not directly exposed to the internet
|
||||
|
||||
Reference in New Issue
Block a user