- Replace 'ufw disable && ufw --force enable' single-shot handler with a
block that dry-runs the ruleset, disables, re-enables, then verifies
ufw is active. No '&&' short-circuit, so failures are loud instead of
leaving the host firewall-less.
- Rename handler to 'Restart ufw (ip-forwarding settings changed)' to
reflect that this is a full restart (required to pick up
/etc/default/ufw and /etc/ufw/before.rules changes per ufw(8)).
- Add NAT/masquerade tasks: enable ipv4 forwarding, set
DEFAULT_FORWARD_POLICY=ACCEPT, and write a per-interface *nat block
in /etc/ufw/before.rules.
- Declare requires_ansible >=2.15 in meta/runtime.yml (handler uses
block:, supported since 2.12; 2.15 is a safe modern floor).
- README: document Ansible version requirement, port reservation
rules, and Immich pgvector Q&A.
Clément Désiles