diff --git a/roles/lighttpd/tasks/main.json b/roles/lighttpd/tasks/main.json
index 1b6af91..d29fcdf 100644
--- a/roles/lighttpd/tasks/main.json
+++ b/roles/lighttpd/tasks/main.json
@@ -27,6 +27,35 @@
 			"dest": "/etc/lighttpd/conf-enabled/10-ssl-custom.conf"
 		}
 	},
+	{
+		"name": "ufw | check",
+		"check_mode": true,
+		"become": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port 80",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "80",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "ufw | allow port 443",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "443",
+			"proto": "tcp"
+		}
+	},
 	{
 		"name": "restart service",
 		"become": true,
diff --git a/roles/murmur/tasks/main.json b/roles/murmur/tasks/main.json
index 7341ac8..1b9ed12 100644
--- a/roles/murmur/tasks/main.json
+++ b/roles/murmur/tasks/main.json
@@ -25,6 +25,25 @@
 			"cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}"
 		}
 	},
+	{
+		"name": "ufw | check",
+		"check_mode": true,
+		"become": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "{{var_murmur_port | string}}",
+			"proto": "tcp"
+		}
+	},
 	{
 		"name": "service",
 		"become": true,
diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json
index 183ff43..5d7135b 100644
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@@ -25,6 +25,35 @@
 			"dest": "/etc/nginx/ssl-hardening.conf"
 		}
 	},
+	{
+		"name": "ufw | check",
+		"become": true,
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port 80",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "80",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "ufw | allow port 443",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "443",
+			"proto": "tcp"
+		}
+	},
 	{
 		"name": "auto reload",
 		"when": "var_nginx_auto_reload_interval == None",
diff --git a/roles/proftpd/tasks/main.json b/roles/proftpd/tasks/main.json
index d277bc0..e5bf9a0 100644
--- a/roles/proftpd/tasks/main.json
+++ b/roles/proftpd/tasks/main.json
@@ -8,5 +8,34 @@
 				"proftpd-core"
 			]
 		}
+	},
+	{
+		"name": "ufw | check",
+		"check_mode": true,
+		"become": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port 20",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "20",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "ufw | allow port 21",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "21",
+			"proto": "tcp"
+		}
 	}
 ]
diff --git a/roles/synapse/tasks/main.json b/roles/synapse/tasks/main.json
index fd44ce1..63e0e78 100644
--- a/roles/synapse/tasks/main.json
+++ b/roles/synapse/tasks/main.json
@@ -58,6 +58,25 @@
 			"dest": "/etc/matrix-synapse/homeserver.yaml"
 		}
 	},
+	{
+		"name": "ufw | check",
+		"become": true,
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "8448",
+			"proto": "tcp"
+		}
+	},
 	{
 		"name": "restart service",
 		"become": true,
diff --git a/roles/system_basics/handlers/main.json b/roles/system_basics/handlers/main.json
new file mode 100644
index 0000000..ba5eace
--- /dev/null
+++ b/roles/system_basics/handlers/main.json
@@ -0,0 +1,17 @@
+[
+	{
+		"name": "restart sshd",
+		"ansible.builtin.service": {
+			"name": "sshd",
+			"state": "restarted"
+		}
+	},
+	{
+		"name": "restart journal",
+		"ansible.builtin.service": {
+			"name": "systemd-journald",
+			"state": "restarted",
+			"enabled": true
+		}
+	}
+]
diff --git a/roles/ufw/tasks/main.json b/roles/ufw/tasks/main.json
new file mode 100644
index 0000000..003e4b6
--- /dev/null
+++ b/roles/ufw/tasks/main.json
@@ -0,0 +1,45 @@
+[
+	{
+		"name": "install ufw",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"ufw"
+			]
+		}
+	},
+	{
+		"name": "ufw deny incoming",
+		"become": true,
+		"community.general.ufw": {
+			"direction": "incoming",
+			"proto": "any",
+			"policy": "deny"
+		}
+	},
+	{
+		"name": "ufw allow outgoing",
+		"become": true,
+		"community.general.ufw": {
+			"direction": "outgoing",
+			"proto": "any",
+			"policy": "allow"
+		}
+	},
+	{
+		"name": "ufw allow and rate-limit ssh",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "limit",
+			"name": "ssh"
+		}
+	},
+	{
+		"name": "enable ufw service",
+		"become": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		}
+	}
+]
diff --git a/roles/unattended_upgrades/files/20auto-upgrades b/roles/unattended_upgrades/files/20auto-upgrades
new file mode 100644
index 0000000..8d6d7c8
--- /dev/null
+++ b/roles/unattended_upgrades/files/20auto-upgrades
@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/roles/unattended_upgrades/tasks/main.json b/roles/unattended_upgrades/tasks/main.json
new file mode 100644
index 0000000..014209d
--- /dev/null
+++ b/roles/unattended_upgrades/tasks/main.json
@@ -0,0 +1,48 @@
+[
+	{
+		"name": "install packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"unattended-upgrades",
+				"apt-listchanges"
+			]
+		}
+	},
+	{
+		"name": "Allow unattended reboots (1)",
+		"become": true,
+		"ansible.builtin.lineinfile": {
+			"dest": "/etc/apt/apt.conf.d/50unattended-upgrades",
+			"regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ",
+			"line": "Unattended-Upgrade::Automatic-Reboot \"true\";"
+		}
+	},
+	{
+		"name": "Allow unattended reboots (2)",
+		"become": true,
+		"ansible.builtin.lineinfile": {
+			"dest": "/etc/apt/apt.conf.d/50unattended-upgrades",
+			"regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ",
+			"line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";"
+		}
+	},
+	{
+		"name": "Allow more origins for updates",
+		"become": true,
+		"ansible.builtin.lineinfile": {
+			"dest": "/etc/apt/apt.conf.d/50unattended-upgrades",
+			"regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";",
+			"line": "\"${distro_id}:${distro_codename}-updates\";"
+		}
+	},
+	{
+		"name": "Enable unattended upgrades",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "20auto-upgrades",
+			"dest": "/etc/apt/apt.conf.d/20auto-upgrades"
+		}
+	}
+]