From ba37edd4989cf479da81d2c1906a4ac31c630abe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Mon, 10 Nov 2025 23:57:34 +0100
Subject: [PATCH] doc: add more ufw comments

---
 roles/fail2ban/tasks/main.yml  | 10 ++++++++++
 roles/wireguard/tasks/main.yml | 15 ++++++++-------
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
index 62fe7ad..6346ab7 100644
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@@ -52,6 +52,16 @@
         daemon_reload: true
       when: not override_conf.stat.exists
 
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+
+- name: Enable UFW service at startup
+  ansible.builtin.systemd:
+    name: ufw
+    enabled: true
+    state: started
+
 - name: Start and enable fail2ban
   ansible.builtin.service:
     name: fail2ban
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index b54ebd2..8dfe5b4 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -46,16 +46,17 @@
     src: wireguard.conf.j2
     dest: /etc/wireguard/{{ wireguard_interface }}.conf
 
-- name: Start and enable service
-  ansible.builtin.service:
-    name: wg-quick@{{ wireguard_interface }}
-    state: started
-    enabled: true
-    daemon_reload: true
-
 - name: Configure the firewall for wireguard
   community.general.ufw:
     rule: allow
     port: "{{ wireguard_port }}"
     proto: udp
     direction: in
+    comment: Wireguard VPN
+
+- name: Start and enable service
+  ansible.builtin.service:
+    name: wg-quick@{{ wireguard_interface }}
+    state: started
+    enabled: true
+    daemon_reload: true