- name: Ufw-ingress
  hosts: animeistrash
  become: true
  tasks:
    - name: Install ufw
      ansible.builtin.apt:
        name: ufw
        state: present

    - name: Logging
      community.general.ufw:
        logging: "medium"

    - name: UFW - Allow SSH
      community.general.ufw:
        rule: allow
        port: "22"
        proto: tcp

    - name: UFW - Allow wireguard
      community.general.ufw:
        rule: allow
        port: "41194"
        proto: udp

    - name: UFW - Allow wireguard routing tcp
      community.general.ufw:
        rule: allow
        interface_in: wg0
        route: true
        proto: tcp
        to_port: '{{ item }}'
      loop:
        - "25" # mail
        - "465" # mail
        - "587" # mail
        - "993" # mail
        - "2222" # gitbee ssh
        - "8448" # matrix federation
        - "4444" # backup ssh
        - "80"
        - "443"

    - name: UFW - Allow wireguard outgoing
      community.general.ufw:
        route: true
        rule: allow
        interface_out: wg0

    - name: UFW - Enable and deny by default
      community.general.ufw:
        state: enabled
        default: deny

    - name: UFW - Reload firewall
      changed_when: true
      ansible.builtin.command: ufw reload