Many years ago I made a momentous pull request to gitea: Allow the use of alternative net.Listener implementations by downstreams by eyedeekay · Pull Request #25855 · go-gitea/gitea · GitHub in which I requested/added a feature I called “Pluggable Listeners.” For those of you who are not gophers, Go has a standard “listener” abstract type(interface) with a default implementation, but if you create your own concrete type which matches the interface then you can replace the standard listener with your own. So if you want to host your gitea instance so that it only answers within a private overlay network, then you can simply replace the listener with the one corresponding to the overlay network. If you can do all the modifications required to replace the listener without requiring a patch, then you’ll also never have a merge conflict. This, plus a little creative use of the http.Client, lets me build freestanding, custom gitea servers which are capable of interacting with Tor, I2P, Clearnet, self-signed HTTPS, automatically issued HTTPS, on a Tailnet(by detecting the tailscale interface and automatically listening on it), or any other kind of network-like interface. The especially great part is that if you can do all of this without a patch(which you can) then you can just have your CI/CD systems integrate the modifications and build automatically everytime it sees a new tag from upstream(which is exactly what I do).
This isn’t just hypothetical either, it’s all been working pretty cleanly(albeit quietly) for a few months now. I have 2 variants going, which as a new user I will need to add as replies to this post.