security: upgrade Gitea to 1.25.4, add security headers

- Update Gitea from 1.22.6 to 1.25.4 (fixes CVE-2026-20736, CVE-2026-20912)
- Disable public registration
- Disable Swagger API
- Add nginx-ingress security headers:
  - X-Content-Type-Options: nosniff
  - X-XSS-Protection: 1; mode=block
  - Referrer-Policy: strict-origin-when-cross-origin
  - Permissions-Policy
- Enable HSTS preload
- Reorganize Gitea K8s manifests into gitea/ directory

Made-with: Cursor

backend/deploy/k8s/nginx-ingress-config.yaml

@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+data:
+  # Security Headers
+  add-headers: "ingress-nginx/custom-headers"
+  
+  # Enable snippets for per-ingress customization
+  allow-snippet-annotations: "true"
+  
+  # Hide server version
+  server-tokens: "false"
+  
+  # SSL settings
+  ssl-protocols: "TLSv1.2 TLSv1.3"
+  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
+  ssl-prefer-server-ciphers: "true"
+  
+  # HSTS
+  hsts: "true"
+  hsts-max-age: "31536000"
+  hsts-include-subdomains: "true"
+  hsts-preload: "true"
+  
+  # Proxy settings
+  proxy-body-size: "100m"
+  proxy-read-timeout: "300"
+  proxy-send-timeout: "300"
+  
+  # Security
+  use-forwarded-headers: "true"
+  compute-full-forwarded-for: "true"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: custom-headers
+  namespace: ingress-nginx
+data:
+  X-Content-Type-Options: "nosniff"
+  X-XSS-Protection: "1; mode=block"
+  X-Frame-Options: "SAMEORIGIN"
+  Referrer-Policy: "strict-origin-when-cross-origin"
+  Permissions-Policy: "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"