Implement modular nftables architecture and Gitea SSH firewall management

- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.

roles/gitea/tasks/fail2ban.yml

@@ -0,0 +1,75 @@
+---
+# Gitea fail2ban Configuration - Rick-Infra
+# Protects Gitea SSH from brute force attacks
+# Integrates with system fail2ban service
+
+- name: Install fail2ban
+  pacman:
+    name: fail2ban
+    state: present
+
+- name: Create Gitea fail2ban filter
+  copy:
+    content: |
+      # Fail2ban filter for Gitea SSH authentication failures
+      # Rick-Infra: Gitea role
+      
+      [Definition]
+      # Match failed authentication attempts in Gitea logs
+      failregex = .*(Failed authentication attempt|authentication failed|Invalid user|Failed login attempt).*from\s+<HOST>
+                  .*level=warning.*msg=.*authentication.*failed.*ip=<HOST>
+      
+      ignoreregex =
+    dest: /etc/fail2ban/filter.d/gitea-ssh.conf
+    mode: '0644'
+    backup: yes
+  notify: restart fail2ban
+
+- name: Ensure fail2ban jail.local exists
+  file:
+    path: /etc/fail2ban/jail.local
+    state: touch
+    mode: '0644'
+    modification_time: preserve
+    access_time: preserve
+
+- name: Add Gitea SSH jail to fail2ban
+  blockinfile:
+    path: /etc/fail2ban/jail.local
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - Gitea SSH"
+    block: |
+      # Gitea SSH Protection - Rick-Infra
+      [gitea-ssh]
+      enabled = true
+      port = {{ gitea_ssh_port }}
+      filter = gitea-ssh
+      logpath = {{ gitea_home }}/log/gitea.log
+      maxretry = 5
+      findtime = 600
+      bantime = 3600
+      banaction = nftables
+    backup: yes
+  notify: restart fail2ban
+
+- name: Enable and start fail2ban service
+  systemd:
+    name: fail2ban
+    enabled: yes
+    state: started
+
+- name: Add fail2ban restart handler
+  meta: flush_handlers
+
+- name: Display fail2ban status for Gitea
+  debug:
+    msg: |
+      🛡️  fail2ban configured for Gitea SSH
+      📍 Filter: /etc/fail2ban/filter.d/gitea-ssh.conf
+      📍 Jail: gitea-ssh (in /etc/fail2ban/jail.local)
+      🔒 Protection: Port {{ gitea_ssh_port }}
+      ⏱️  Ban time: 1 hour (3600 seconds)
+      🔢 Max retries: 5 attempts in 10 minutes
+      
+      Check status: fail2ban-client status gitea-ssh
+
+# Rick-Infra: Self-contained fail2ban protection per role

roles/gitea/tasks/firewall.yml

@@ -0,0 +1,51 @@
+---
+# Gitea Firewall Configuration - Rick-Infra
+# Self-contained firewall management for Gitea SSH access
+# Opens port 2222 for Gitea's SSH server
+
+- name: Install nftables (if not present)
+  pacman:
+    name: nftables
+    state: present
+
+- name: Create nftables rules directory
+  file:
+    path: /etc/nftables.d
+    state: directory
+    mode: '0755'
+
+- name: Deploy Gitea nftables rules
+  template:
+    src: gitea.nft.j2
+    dest: /etc/nftables.d/50-gitea.nft
+    mode: '0644'
+  notify: reload nftables
+  register: gitea_nft_deployed
+
+- name: Validate nftables loader configuration
+  command: nft -c -f /etc/nftables-load.conf
+  changed_when: false
+  failed_when: false
+  register: nft_validation
+
+- name: Display nftables validation results
+  debug:
+    msg: "{{ 'nftables configuration valid' if nft_validation.rc == 0 else 'nftables validation failed: ' + nft_validation.stderr }}"
+  when: nft_validation is defined
+
+- name: Enable and start nftables service
+  systemd:
+    name: nftables
+    enabled: yes
+    state: started
+
+- name: Display Gitea firewall status
+  debug:
+    msg: |
+      🔥 Gitea firewall configuration deployed
+      📍 Rule file: /etc/nftables.d/50-gitea.nft
+      🔓 Port opened: {{ gitea_ssh_port }} (Gitea SSH)
+      
+      ⚠️  Note: nftables will reload automatically via handler
+
+# Rick-Infra: Self-contained firewall management per role

roles/gitea/tasks/main.yml

@@ -16,6 +16,18 @@
     name: gitea
     state: present
 
+# Firewall configuration - self-managed by Gitea role
+- name: Configure firewall for Gitea SSH
+  import_tasks: firewall.yml
+  tags: ['firewall']
+  when: gitea_manage_firewall | default(true)
+
+# fail2ban protection - self-managed by Gitea role
+- name: Configure fail2ban for Gitea SSH
+  import_tasks: fail2ban.yml
+  tags: ['fail2ban', 'security']
+  when: gitea_manage_firewall | default(true)
+
 - name: Install Git 
   pacman:
     name: git