refactor: Cloudflare Tunnel + frp SSH 中转变更

- 新增 cloudflared Docker 服务替代原 Bandwagon frp 方案
- 新增 frpc 转发 Git SSH 到阿里云 VPS
- 为所有服务添加 web entrypoint 路由（兼容 cloudflared HTTP）
- HedgeDoc 添加 X-Forwarded-Proto 中间件修复 CSP 登录问题
- Homepage 添加 xiteng.site 根域名路由
- Gitea 配置 SSH_DOMAIN=git.xiteng.site
- 更新 README 反映当前架构
- .gitignore: frpc.toml / credentials / letsencrypt

hedgedoc/compose.yml

@@ -34,6 +34,14 @@ services:
       - "traefik.http.services.hedgedoc.loadbalancer.server.port=3000"
       # 强制使用 websecure (443端口) 入口
       - "traefik.http.routers.hedgedoc.entrypoints=websecure"
+      # --- HTTP 入口（来自 cloudflared tunnel）---
+      - "traefik.http.routers.hedgedoc-http.rule=Host(`notes.xiteng.site`)"
+      - "traefik.http.routers.hedgedoc-http.service=hedgedoc"
+      - "traefik.http.routers.hedgedoc-http.entrypoints=web"
+      # --- 中间件：强制 X-Forwarded-Proto（Cloudflare Tunnel 用 HTTP 连 Traefik，但用户端是 HTTPS）---
+      - "traefik.http.middlewares.force-https.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.hedgedoc-http.middlewares=force-https"
+      - "traefik.http.routers.hedgedoc.middlewares=force-https"
       # --- 新增：开启 TLS 并指定解析器 ---
       - "traefik.http.routers.hedgedoc.tls=true"
       - "traefik.http.routers.hedgedoc.tls.certresolver=cfresolver"