Implement modular nftables architecture and Gitea SSH firewall management

- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.

roles/gitea/tasks/main.yml

@@ -16,6 +16,18 @@
     name: gitea
     state: present
 
+# Firewall configuration - self-managed by Gitea role
+- name: Configure firewall for Gitea SSH
+  import_tasks: firewall.yml
+  tags: ['firewall']
+  when: gitea_manage_firewall | default(true)
+
+# fail2ban protection - self-managed by Gitea role
+- name: Configure fail2ban for Gitea SSH
+  import_tasks: fail2ban.yml
+  tags: ['fail2ban', 'security']
+  when: gitea_manage_firewall | default(true)
+
 - name: Install Git 
   pacman:
     name: git