Joakim
2fe194ba82
- Restructure security playbook with modular nftables loader - Base rules loaded first, service rules second, drop rule last - Add Gitea self-contained firewall management (port 2222) - Add fail2ban protection for Gitea SSH brute force attacks - Update documentation with new firewall architecture - Create comprehensive Gitea deployment and testing guide This enables self-contained service roles to manage their own firewall rules without modifying the central security playbook. Each service deploys rules to /etc/nftables.d/ which are loaded before the final drop rule, maintaining the defense-in-depth security model.
12 lines
487 B
Django/Jinja
12 lines
487 B
Django/Jinja
# Gitea SSH Firewall Rules - Rick-Infra
|
|
# Generated by Ansible Gitea role
|
|
# Allows incoming SSH connections on port {{ gitea_ssh_port }}
|
|
#
|
|
# This file is loaded BEFORE the final drop rule (99-drop.nft)
|
|
# Filename: 50-gitea.nft (ensures proper load order)
|
|
|
|
# Add Gitea SSH port to the input chain
|
|
add rule inet filter input tcp dport {{ gitea_ssh_port }} ct state new accept comment "Gitea SSH (Port {{ gitea_ssh_port }})"
|
|
|
|
# Rick-Infra: Self-contained firewall rule for Gitea SSH access
|