Implement modular nftables architecture and Gitea SSH firewall management

- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.

roles/gitea/templates/gitea.nft.j2

@@ -0,0 +1,11 @@
+# Gitea SSH Firewall Rules - Rick-Infra
+# Generated by Ansible Gitea role
+# Allows incoming SSH connections on port {{ gitea_ssh_port }}
+#
+# This file is loaded BEFORE the final drop rule (99-drop.nft)
+# Filename: 50-gitea.nft (ensures proper load order)
+
+# Add Gitea SSH port to the input chain
+add rule inet filter input tcp dport {{ gitea_ssh_port }} ct state new accept comment "Gitea SSH (Port {{ gitea_ssh_port }})"
+
+# Rick-Infra: Self-contained firewall rule for Gitea SSH access