Implement modular nftables architecture and Gitea SSH firewall management

- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.

roles/gitea/tasks/fail2ban.yml

@@ -0,0 +1,75 @@
+---
+# Gitea fail2ban Configuration - Rick-Infra
+# Protects Gitea SSH from brute force attacks
+# Integrates with system fail2ban service
+
+- name: Install fail2ban
+  pacman:
+    name: fail2ban
+    state: present
+
+- name: Create Gitea fail2ban filter
+  copy:
+    content: |
+      # Fail2ban filter for Gitea SSH authentication failures
+      # Rick-Infra: Gitea role
+      
+      [Definition]
+      # Match failed authentication attempts in Gitea logs
+      failregex = .*(Failed authentication attempt|authentication failed|Invalid user|Failed login attempt).*from\s+<HOST>
+                  .*level=warning.*msg=.*authentication.*failed.*ip=<HOST>
+      
+      ignoreregex =
+    dest: /etc/fail2ban/filter.d/gitea-ssh.conf
+    mode: '0644'
+    backup: yes
+  notify: restart fail2ban
+
+- name: Ensure fail2ban jail.local exists
+  file:
+    path: /etc/fail2ban/jail.local
+    state: touch
+    mode: '0644'
+    modification_time: preserve
+    access_time: preserve
+
+- name: Add Gitea SSH jail to fail2ban
+  blockinfile:
+    path: /etc/fail2ban/jail.local
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - Gitea SSH"
+    block: |
+      # Gitea SSH Protection - Rick-Infra
+      [gitea-ssh]
+      enabled = true
+      port = {{ gitea_ssh_port }}
+      filter = gitea-ssh
+      logpath = {{ gitea_home }}/log/gitea.log
+      maxretry = 5
+      findtime = 600
+      bantime = 3600
+      banaction = nftables
+    backup: yes
+  notify: restart fail2ban
+
+- name: Enable and start fail2ban service
+  systemd:
+    name: fail2ban
+    enabled: yes
+    state: started
+
+- name: Add fail2ban restart handler
+  meta: flush_handlers
+
+- name: Display fail2ban status for Gitea
+  debug:
+    msg: |
+      🛡️  fail2ban configured for Gitea SSH
+      📍 Filter: /etc/fail2ban/filter.d/gitea-ssh.conf
+      📍 Jail: gitea-ssh (in /etc/fail2ban/jail.local)
+      🔒 Protection: Port {{ gitea_ssh_port }}
+      ⏱️  Ban time: 1 hour (3600 seconds)
+      🔢 Max retries: 5 attempts in 10 minutes
+      
+      Check status: fail2ban-client status gitea-ssh
+
+# Rick-Infra: Self-contained fail2ban protection per role