[embedding-shape]

> I’m thinking about making public instance and use it with https, but minimize the attack surface, any recommendations especially about gitea/forgejo?

I've done this too in the past, I'm still running the internal/lan Forgejo instance, but not any public instance at the moment. But in the past, I've setup a public read-only instance, which mirrors my internal one, then one reverse-proxy connection from the internal to the public instance, which the public one uses for getting the git data. Then it mostly just kept on working by itself, whenever I changed anything in the internal Forgejo, the public one got updated, yet I could keep all issues, CI and more completely private and on lan.

[Myzel394]

Did you use some sort of intrusion prevention system? I'm using cloudflare's anti ddos service + crowdsec, but I'm still getting bombarded with hundreds of thousands of requests per month

[embedding-shape]

Besides rate-limiting with Caddy + fail2ban, not really. It's the public internet, anything gets bombarded almost as soon as it's public, but all requests are read-only requests so doesn't really impact anything beyond filling the access logs. Trivial to filter away when you want to do analytics too, so isn't really a problem.