---
- name: Install UFW
  ansible.builtin.apt:
    pkg:
      - ufw

- name: Enable UFW and set default policy
  community.general.ufw:
    state: enabled
    policy: deny

- name: Allow SSH
  community.general.ufw:
    rule: allow
    name: OpenSSH

- name: Allow custom SSH port
  community.general.ufw:
    rule: allow
    port: '{{ sshd_port }}'
    proto: tcp

- name: Allow all access to web (80)
  community.general.ufw:
    rule: allow
    port: '80'
    proto: tcp

- name: Allow all access to web (443)
  community.general.ufw:
    rule: allow
    port: '443'
    proto: tcp

- name: Allow all access to node_exporter
  community.general.ufw:
    rule: allow
    port: '9100'
    proto: tcp

- name: Allow SSH access to Forgejo
  community.general.ufw:
    rule: allow
    port: '{{ forgejo_ssh_port }}'
    proto: tcp