chore: added iac

Signed-off-by: ITQ <itq.dev@ya.ru>

infrastructure/iac/ansible/roles/security/handlers/main.yaml

@@ -0,0 +1,6 @@
+---
+- name: Reload nftables
+  ansible.builtin.systemd:
+    name: nftables
+    state: reloaded
+  tags: security, nftables

infrastructure/iac/ansible/roles/security/tasks/main.yaml

@@ -0,0 +1,38 @@
+---
+- name: Install security packages
+  ansible.builtin.apt:
+    name: "{{ system_packages.security }}"
+    state: present
+    update_cache: true
+  tags: security
+
+- name: Install nftables
+  ansible.builtin.apt:
+    name:
+      - nftables
+    state: present
+    update_cache: true
+  tags: security, nftables
+
+- name: Render nftables configuration
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    group: root
+    mode: '0644'
+    validate: 'nft -c -f %s'
+  notify: Reload nftables
+  tags: security, nftables
+
+- name: Enable and start nftables
+  ansible.builtin.systemd:
+    name: nftables
+    state: started
+    enabled: true
+  tags: security, nftables
+
+- name: Install and configure fail2ban
+  include_role:
+    name: geerlingguy.security
+  tags: security

infrastructure/iac/ansible/roles/security/templates/nftables.conf.j2

@@ -0,0 +1,34 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+        policy {{ security_firewall_default_policy | default('drop') }};
+
+        ct state established,related accept
+        iifname lo accept
+
+        # allow ICMP
+        ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded } accept
+        ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } accept
+
+{% for p in security_firewall_allowed_ports %}
+{% set parts = p.split('/') %}
+{% set port = parts[0] %}
+{% set proto = parts[1] if parts|length > 1 else 'tcp' %}
+        {{ proto }} dport {{ port }} accept
+{% endfor %}
+
+        reject with icmpx type port-unreachable
+    }
+
+    chain forward {
+        type filter hook forward priority 0;
+        policy accept;
+    }
+
+    chain output {
+        type filter hook output priority 0;
+        policy accept;
+    }
+}