Implement modular nftables architecture and Gitea SSH firewall management

- Restructure security playbook with modular nftables loader - Base rules loaded first, service rules second, drop rule last - Add Gitea self-contained firewall management (port 2222) - Add fail2ban protection for Gitea SSH brute force attacks - Update documentation with new firewall architecture - Create comprehensive Gitea deployment and testing guide This enables self-contained service roles to manage their own firewall rules without modifying the central security playbook. Each service deploys rules to /etc/nftables.d/ which are loaded before the final drop rule, maintaining the defense-in-depth security model.
2025-12-16 21:45:22 +01:00
parent 9b12225ec8
commit 2fe194ba82
12 changed files with 933 additions and 43 deletions
--- a/roles/gitea/handlers/main.yml
+++ b/roles/gitea/handlers/main.yml
@@ -15,4 +15,16 @@
  systemd:
    name: caddy
    state: reloaded
-  when: caddy_service_enabled | default(false)
+  when: caddy_service_enabled | default(false)
+
+- name: reload nftables
+  systemd:
+    name: nftables
+    state: reloaded
+  # Safety: only reload if service is active
+  when: ansible_connection != 'local'
+
+- name: restart fail2ban
+  systemd:
+    name: fail2ban
+    state: restarted