Not git(ea) but Synapse: I use separate Traefik routers for internal and external endpoints. Internal has access to all paths but for external entry points I allow or deny list paths as needed. It’s error prone as it can either break the app if not everything required is allowlisted, or cause a security issue if not everything is deny listed.
NixOS instances running Nomad/Vault/Consul. Each service behind Traefik with LE certs. Containers can mount NFS shares from a separate NAS which optionally gets backed up to cloud blob storage.
I use SSH and some CLI commands for deployment but only because that’s faster than CICD. I’m only running ~’nomad run …’ for the most part
The goal was to be resilient to single node failures and align with a stack I might use for production ops work. It’s also nice to be able to remove/add nodes fairly easily without worrying about breaking any home automation or hosting.
Running a reverse proxy then adding your IP to your router/other-DNS-server will make it easy ish. Just don’t pick a domain that is used by other people. If you have a(ny) domain you own then a subdomain you set in your router is fine/safe.
I have *.[house domain] point to a static IP set in my router. The IP is announced via BGP to point to running Traefik instances as a reverse proxy that points to the appropriate container. This also gives certs, but isn’t required.
This sounds about half of the way to Nostr. User identity is separate from posting. Communities (relays) host the content and can have the own policies for who can interact.