---
- name: "Configure UFW firewall"
  hosts: all

  vars_files:
    - vars/secrets.yml

  tasks:
    - name: "Ensure UFW is installed"
      ansible.builtin.apt:
        name: ufw
        state: present
        update_cache: true

    - name: "Set default incoming policy to deny"
      community.general.ufw:
        direction: incoming
        policy: deny

    - name: "Set default outgoing policy to allow"
      community.general.ufw:
        direction: outgoing
        policy: allow

    - name: "Allow SSH on port 22"
      community.general.ufw:
        rule: allow
        port: "22"
        proto: tcp

    - name: "Allow Gitea SSH on port 2222"
      community.general.ufw:
        rule: allow
        port: "2222"
        proto: tcp

    - name: "Allow HTTP on port 80/tcp"
      community.general.ufw:
        rule: allow
        port: "80"
        proto: tcp

    - name: "Allow HTTPS on port 443/tcp"
      community.general.ufw:
        rule: allow
        port: "443"
        proto: tcp

    - name: "Allow HTTPS QUIC on port 443/udp"
      community.general.ufw:
        rule: allow
        port: "443"
        proto: udp

    - name: "Enable UFW"
      community.general.ufw:
        state: enabled
        logging: true