Implement modular nftables architecture and Gitea SSH firewall management

- Restructure security playbook with modular nftables loader - Base rules loaded first, service rules second, drop rule last - Add Gitea self-contained firewall management (port 2222) - Add fail2ban protection for Gitea SSH brute force attacks - Update documentation with new firewall architecture - Create comprehensive Gitea deployment and testing guide This enables self-contained service roles to manage their own firewall rules without modifying the central security playbook. Each service deploys rules to /etc/nftables.d/ which are loaded before the final drop rule, maintaining the defense-in-depth security model.
2025-12-16 21:45:22 +01:00
parent 9b12225ec8
commit 2fe194ba82
12 changed files with 933 additions and 43 deletions
--- a/roles/gitea/tasks/firewall.yml
+++ b/roles/gitea/tasks/firewall.yml
@@ -0,0 +1,51 @@
+---
+# Gitea Firewall Configuration - Rick-Infra
+# Self-contained firewall management for Gitea SSH access
+# Opens port 2222 for Gitea's SSH server
+
+- name: Install nftables (if not present)
+  pacman:
+    name: nftables
+    state: present
+
+- name: Create nftables rules directory
+  file:
+    path: /etc/nftables.d
+    state: directory
+    mode: '0755'
+
+- name: Deploy Gitea nftables rules
+  template:
+    src: gitea.nft.j2
+    dest: /etc/nftables.d/50-gitea.nft
+    mode: '0644'
+  notify: reload nftables
+  register: gitea_nft_deployed
+
+- name: Validate nftables loader configuration
+  command: nft -c -f /etc/nftables-load.conf
+  changed_when: false
+  failed_when: false
+  register: nft_validation
+
+- name: Display nftables validation results
+  debug:
+    msg: "{{ 'nftables configuration valid' if nft_validation.rc == 0 else 'nftables validation failed: ' + nft_validation.stderr }}"
+  when: nft_validation is defined
+
+- name: Enable and start nftables service
+  systemd:
+    name: nftables
+    enabled: yes
+    state: started
+
+- name: Display Gitea firewall status
+  debug:
+    msg: |
+      🔥 Gitea firewall configuration deployed
+      📍 Rule file: /etc/nftables.d/50-gitea.nft
+      🔓 Port opened: {{ gitea_ssh_port }} (Gitea SSH)
+      
+      ⚠️  Note: nftables will reload automatically via handler
+
+# Rick-Infra: Self-contained firewall management per role