joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement modular nftables architecture and Gitea SSH firewall management

Browse Source 
- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.
This commit is contained in:
Joakim
2025-12-16 21:45:22 +01:00
parent 9b12225ec8
commit 2fe194ba82
12 changed files with 933 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
now-what.md
View File

@@ -1,7 +1,7 @@
# Now what?
- [ ] Redeploy on clean VPS to test playbook
- [ ] Must set up mini-vps for sigvild and devigo
- [x] Redeploy on clean VPS to test playbook
- [x] Must set up mini-vps for sigvild and devigo
- [ ] What gets served on jnss.me?
- [ ] Backups