Implement SSH passthrough mode and refactor Gitea domain configuration

Major Changes:
- Add dual SSH mode system (passthrough default, dedicated fallback)
- Refactor domain configuration to use direct specification pattern
- Fix critical fail2ban security gap in dedicated mode
- Separate HTTP and SSH domains for cleaner Git URLs

roles/gitea/tasks/fail2ban.yml

@@ -1,7 +1,7 @@
 ---
 # Gitea fail2ban Configuration - Rick-Infra
-# Protects Gitea SSH from brute force attacks
-# Integrates with system fail2ban service
+# Mode-aware: Only protects dedicated mode (port 2222)
+# In passthrough mode, system 'sshd' jail protects port 22
 
 - name: Install fail2ban
   pacman:
@@ -13,6 +13,7 @@
     content: |
       # Fail2ban filter for Gitea SSH authentication failures
       # Rick-Infra: Gitea role
+      # Only used in dedicated mode (port {{ gitea_ssh_port }})
       
       [Definition]
       # Match failed authentication attempts in Gitea logs
@@ -33,14 +34,17 @@
     modification_time: preserve
     access_time: preserve
 
-- name: Add Gitea SSH jail to fail2ban
+- name: Add Gitea SSH jail to fail2ban (mode-aware)
   blockinfile:
     path: /etc/fail2ban/jail.local
     marker: "# {mark} ANSIBLE MANAGED BLOCK - Gitea SSH"
     block: |
       # Gitea SSH Protection - Rick-Infra
+      # Mode: {{ gitea_ssh_mode }}
+      # - dedicated: Monitors Gitea logs on port {{ gitea_ssh_port }}
+      # - passthrough: Disabled (system 'sshd' jail protects port 22)
       [gitea-ssh]
-      enabled = true
+      enabled = {{ 'true' if gitea_ssh_mode == 'dedicated' else 'false' }}
       port = {{ gitea_ssh_port }}
       filter = gitea-ssh
       logpath = {{ gitea_home }}/log/gitea.log
@@ -57,19 +61,61 @@
     enabled: yes
     state: started
 
-- name: Add fail2ban restart handler
+- name: Flush handlers to ensure fail2ban restarts
   meta: flush_handlers
 
-- name: Display fail2ban status for Gitea
+- name: Wait for fail2ban to be ready
+  pause:
+    seconds: 2
+
+- name: Verify gitea-ssh jail status (dedicated mode only)
+  command: fail2ban-client status gitea-ssh
+  register: gitea_jail_verify
+  changed_when: false
+  failed_when: false
+  when: gitea_ssh_mode == 'dedicated'
+
+- name: Verify sshd jail status (passthrough mode)
+  command: fail2ban-client status sshd
+  register: sshd_jail_verify
+  changed_when: false
+  failed_when: false
+  when: gitea_ssh_mode == 'passthrough'
+
+- name: Display fail2ban configuration status
   debug:
     msg: |
-      🛡️  fail2ban configured for Gitea SSH
-      📍 Filter: /etc/fail2ban/filter.d/gitea-ssh.conf
-      📍 Jail: gitea-ssh (in /etc/fail2ban/jail.local)
-      🔒 Protection: Port {{ gitea_ssh_port }}
-      ⏱️  Ban time: 1 hour (3600 seconds)
-      🔢 Max retries: 5 attempts in 10 minutes
+      🛡️  fail2ban Protection for Gitea SSH
+      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+      📍 Mode: {{ gitea_ssh_mode | upper }}
       
-      Check status: fail2ban-client status gitea-ssh
+      {% if gitea_ssh_mode == 'dedicated' %}
+      📍 Jail: gitea-ssh
+      📍 Port: {{ gitea_ssh_port }}
+      📍 Status: {{ 'Active ✅' if gitea_jail_verify.rc == 0 else 'Not Active ⚠️' }}
+      📍 Filter: /etc/fail2ban/filter.d/gitea-ssh.conf
+      📍 Logfile: {{ gitea_home }}/log/gitea.log
+      
+      Protection Settings:
+        • Max retries: 5 attempts
+        • Find time: 10 minutes (600 seconds)
+        • Ban time: 1 hour (3600 seconds)
+      
+      Check status:
+        fail2ban-client status gitea-ssh
+      
+      {% else %}
+      📍 Jail: sshd (system jail)
+      📍 Port: 22
+      📍 Status: {{ 'Active ✅' if sshd_jail_verify.rc == 0 else 'Not Active ⚠️' }}
+      📍 Coverage: All SSH traffic including Gitea Git operations
+      
+      Note: In passthrough mode, the system 'sshd' jail automatically
+            protects all SSH traffic on port 22, including Gitea Git
+            operations. No separate gitea-ssh jail is needed.
+      
+      Check status:
+        fail2ban-client status sshd
+      {% endif %}
 
 # Rick-Infra: Self-contained fail2ban protection per role