Add Template to deploy forgejo.

This template allows deploying a forgejo en either Scaleway or Hetzner
(untested) without much knowledge about them.
It DOES require knowledge about Terragrunt and ansible. A wizard of
sorts is provided but it will not guarantee success without some
knowledge about the underlying technology.

ansible/roles/forgejo/tasks/ufw.yml

@@ -0,0 +1,142 @@
+---
+# UFW Firewall configuration for Forgejo
+# Restricts SSH access to Tailscale interface only
+# Only exposes HTTP/HTTPS to the public internet
+
+- name: Install UFW
+  ansible.builtin.apt:
+    name: ufw
+    state: present
+    update_cache: yes
+  become: yes
+  tags:
+    - install
+    - ufw
+
+- name: Deploy Forgejo UFW application profile
+  ansible.builtin.template:
+    src: ufw-forgejo.j2
+    dest: /etc/ufw/applications.d/forgejo
+    owner: root
+    group: root
+    mode: '0644'
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+- name: Reset UFW to default (clean slate)
+  community.general.ufw:
+    state: reset
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+- name: Set default incoming policy to deny
+  community.general.ufw:
+    direction: incoming
+    policy: deny
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+- name: Set default outgoing policy to allow
+  community.general.ufw:
+    direction: outgoing
+    policy: allow
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+- name: Allow all traffic on Tailscale interface
+  community.general.ufw:
+    rule: allow
+    interface: "{{ tailscale_interface }}"
+    direction: in
+    comment: "Allow all Tailscale traffic (SSH, monitoring, internal services)"
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+- name: Allow Docker network to access host services
+  community.general.ufw:
+    rule: allow
+    from_ip: 172.16.0.0/12
+    comment: "Allow Docker containers to access host services (PostgreSQL, etc.)"
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+# Public-facing ports (Caddy handles HTTPS)
+- name: Allow HTTP (Caddy)
+  community.general.ufw:
+    rule: allow
+    port: "80"
+    proto: tcp
+    comment: "HTTP - Caddy (redirects to HTTPS)"
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+- name: Allow HTTPS (Caddy)
+  community.general.ufw:
+    rule: allow
+    port: "443"
+    proto: tcp
+    comment: "HTTPS - Caddy/Forgejo"
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+# Git SSH is only accessible via Tailscale (through the interface rule above)
+# Regular SSH is only accessible via Tailscale (through the interface rule above)
+
+- name: Enable UFW logging
+  community.general.ufw:
+    logging: "on"
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+  become: yes
+  tags:
+    - configure
+    - ufw
+
+- name: Display UFW security configuration
+  ansible.builtin.debug:
+    msg: |
+      ===============================================================
+      FIREWALL CONFIGURED - SECURITY SUMMARY
+      ===============================================================
+
+      PUBLIC ACCESS (from anywhere):
+        - Port 80/tcp  (HTTP - redirects to HTTPS)
+        - Port 443/tcp (HTTPS - Forgejo web interface)
+
+      TAILSCALE-ONLY ACCESS (via {{ tailscale_interface }}):
+        - Port 22/tcp   (SSH - system administration)
+        - Port 2222/tcp (Git SSH - clone/push/pull)
+        - Port 3000/tcp (Forgejo internal - for debugging)
+        - Port 9090/tcp (Prometheus - if enabled)
+        - All other internal services
+
+      Git clone URLs:
+        - HTTPS (public): https://{{ forgejo_domain }}/user/repo.git
+        - SSH (Tailscale): git@<tailscale-hostname>:user/repo.git
+
+      To access SSH after this change:
+        ssh root@<tailscale-ip-or-hostname>
+
+      ===============================================================