Implement modular nftables architecture and Gitea SSH firewall management

- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.

roles/gitea/defaults/main.yml

@@ -66,6 +66,13 @@ gitea_require_signin: false
 # SSH settings
 gitea_start_ssh_server: true
 
+# =================================================================
+# Firewall Configuration
+# =================================================================
+
+# Firewall management
+gitea_manage_firewall: true  # Set to false if firewall is managed externally
+
 # =================================================================
 # Infrastructure Dependencies (Read-only)
 # =================================================================