diff --git a/playbook-ufw.yml b/playbook-ufw.yml
new file mode 100644
index 0000000..3e8773f
--- /dev/null
+++ b/playbook-ufw.yml
@@ -0,0 +1,58 @@
+---
+- name: "Configure UFW firewall"
+  hosts: all
+
+  vars_files:
+    - vars/secrets.yml
+
+  tasks:
+    - name: "Ensure UFW is installed"
+      ansible.builtin.apt:
+        name: ufw
+        state: present
+        update_cache: true
+
+    - name: "Set default incoming policy to deny"
+      community.general.ufw:
+        direction: incoming
+        policy: deny
+
+    - name: "Set default outgoing policy to allow"
+      community.general.ufw:
+        direction: outgoing
+        policy: allow
+
+    - name: "Allow SSH on port 22"
+      community.general.ufw:
+        rule: allow
+        port: "22"
+        proto: tcp
+
+    - name: "Allow Gitea SSH on port 2222"
+      community.general.ufw:
+        rule: allow
+        port: "2222"
+        proto: tcp
+
+    - name: "Allow HTTP on port 80/tcp"
+      community.general.ufw:
+        rule: allow
+        port: "80"
+        proto: tcp
+
+    - name: "Allow HTTPS on port 443/tcp"
+      community.general.ufw:
+        rule: allow
+        port: "443"
+        proto: tcp
+
+    - name: "Allow HTTPS QUIC on port 443/udp"
+      community.general.ufw:
+        rule: allow
+        port: "443"
+        proto: udp
+
+    - name: "Enable UFW"
+      community.general.ufw:
+        state: enabled
+        logging: true
diff --git a/requirements.yml b/requirements.yml
index 25a45ee..f92ecc2 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -11,3 +11,4 @@ roles:
 
 collections:
   - name: 'community.docker'
+  - name: 'community.general'