feat: extend fail2ban with Forgejo SSH and Traefik HTTP jails

- Add traefik-auth filter: ban IPs with 10+ HTTP 401/403 in 5 min
- Add forgejo-ssh jail: ban after 3 failed SSH attempts (24h ban)
- Both jails are active; forgejo-ssh already detected 8 real attempts
- Traefik access.log now written to /opt/services/traefik/logs/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/base/tasks/firewall.yml

@@ -118,7 +118,18 @@
   community.general.ufw:
     state: enabled
 
-- name: Ensure fail2ban is configured for SSH
+- name: Deploy fail2ban Traefik filter
+  ansible.builtin.copy:
+    dest: /etc/fail2ban/filter.d/traefik-auth.conf
+    content: |
+      [Definition]
+      # Match lines where Traefik returned 401 or 403
+      failregex = ^<HOST> - \S+ \[.*\] ".*" (401|403) .*$
+      ignoreregex =
+    mode: "0644"
+  notify: Restart fail2ban
+
+- name: Ensure fail2ban is configured
   ansible.builtin.copy:
     dest: /etc/fail2ban/jail.local
     content: |
@@ -132,6 +143,26 @@
       port    = {{ sshd_port }}
       logpath = %(sshd_log)s
       backend = %(sshd_backend)s
+
+      # Forgejo git-over-SSH (port 2222, bypasses Cloudflare — ban is effective)
+      [forgejo-ssh]
+      enabled  = true
+      port     = 2222
+      filter   = sshd
+      logpath  = %(sshd_log)s
+      backend  = %(sshd_backend)s
+      maxretry = 3
+      bantime  = 86400
+
+      # Traefik HTTP 401/403 — brute force on protected routes
+      [traefik-auth]
+      enabled  = true
+      port     = http,https
+      filter   = traefik-auth
+      logpath  = /opt/services/traefik/logs/access.log
+      maxretry = 10
+      findtime = 300
+      bantime  = 3600
     mode: "0644"
   notify: Restart fail2ban