Implement SSH passthrough mode and refactor Gitea domain configuration

Major Changes: - Add dual SSH mode system (passthrough default, dedicated fallback) - Refactor domain configuration to use direct specification pattern - Fix critical fail2ban security gap in dedicated mode - Separate HTTP and SSH domains for cleaner Git URLs
2025-12-17 21:51:24 +01:00
parent 2fe194ba82
commit cf71fb3a8d
15 changed files with 1134 additions and 102 deletions
--- a/roles/gitea/tasks/ssh_dedicated.yml
+++ b/roles/gitea/tasks/ssh_dedicated.yml
@@ -0,0 +1,74 @@
+---
+# Gitea Dedicated SSH Server Configuration - Rick-Infra
+# Configures Gitea to run its own SSH server on port 2222
+# This is the fallback mode when passthrough is not desired
+
+- name: Configure firewall for Gitea SSH (dedicated mode)
+  import_tasks: firewall.yml
+  tags: ['firewall']
+
+- name: Configure fail2ban for Gitea SSH (dedicated mode)
+  import_tasks: fail2ban.yml
+  tags: ['fail2ban', 'security']
+
+- name: Wait for fail2ban to be ready
+  pause:
+    seconds: 2
+
+- name: Verify gitea-ssh jail is active
+  command: fail2ban-client status gitea-ssh
+  register: gitea_jail_status
+  changed_when: false
+  failed_when: false
+
+- name: Display fail2ban protection status
+  debug:
+    msg: |
+      🛡️  Gitea SSH fail2ban protection:
+      {% if gitea_jail_status.rc == 0 %}
+      ✅ gitea-ssh jail is ACTIVE
+      {{ gitea_jail_status.stdout }}
+      {% else %}
+      ⚠️  WARNING: gitea-ssh jail not active!
+      This is a security risk - port {{ gitea_ssh_port }} is vulnerable to brute force attacks.
+      {% endif %}
+
+- name: Fail if gitea-ssh jail is not running (security critical)
+  fail:
+    msg: |
+      SECURITY ERROR: gitea-ssh fail2ban jail is not active!
+      Port {{ gitea_ssh_port }} is exposed but not protected.
+      Check fail2ban configuration and logs.
+  when: gitea_jail_status.rc != 0
+
+- name: Remove SSH passthrough configuration if present
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - Gitea SSH Passthrough"
+    state: absent
+    backup: yes
+  register: sshd_config_cleaned
+  notify: restart sshd
+
+- name: Remove AuthorizedKeysCommand script if present
+  file:
+    path: /usr/local/bin/gitea-keys
+    state: absent
+
+- name: Display dedicated mode configuration
+  debug:
+    msg: |
+      🔧 Gitea SSH Mode: DEDICATED
+      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+      📍 SSH Server: Gitea built-in (port {{ gitea_ssh_port }})
+      🔗 Clone URL: ssh://git@{{ gitea_ssh_domain }}:{{ gitea_ssh_port }}/user/repo.git
+      🔥 Firewall: Port {{ gitea_ssh_port }} opened (nftables)
+      🛡️  fail2ban: gitea-ssh jail protecting port {{ gitea_ssh_port }}
+      
+      Test connection:
+        ssh -T -p {{ gitea_ssh_port }} git@{{ gitea_ssh_domain }}
+      
+      Clone repository:
+        git clone ssh://git@{{ gitea_ssh_domain }}:{{ gitea_ssh_port }}/username/repo.git
+
+# Rick-Infra: Self-contained dedicated SSH mode with full security