Implement modular nftables architecture and Gitea SSH firewall management

- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.

rick-infra.yml

@@ -25,13 +25,13 @@
     #     name: authentik
     #   tags: ['authentik', 'sso', 'auth']
 
-    # - name: Deploy Gitea
-    #   include_role:
-    #     name: gitea
-    #   tags: ['gitea', 'git', 'development']
-
-    - name: Deploy Nextcloud
+    - name: Deploy Gitea
       include_role:
-        name: nextcloud
-      tags: ['nextcloud', 'cloud', 'storage']
+        name: gitea
+      tags: ['gitea', 'git', 'development']
+
+    # - name: Deploy Nextcloud
+    #   include_role:
+    #     name: nextcloud
+    #   tags: ['nextcloud', 'cloud', 'storage']