diff --git a/roles/lighttpd/tasks/main.json b/roles/lighttpd/tasks/main.json
index 1b6af91..d29fcdf 100644
--- a/roles/lighttpd/tasks/main.json
+++ b/roles/lighttpd/tasks/main.json
@@ -27,6 +27,35 @@
 			"dest": "/etc/lighttpd/conf-enabled/10-ssl-custom.conf"
 		}
 	},
+	{
+		"name": "ufw | check",
+		"check_mode": true,
+		"become": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port 80",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "80",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "ufw | allow port 443",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "443",
+			"proto": "tcp"
+		}
+	},
 	{
 		"name": "restart service",
 		"become": true,
diff --git a/roles/murmur/tasks/main.json b/roles/murmur/tasks/main.json
index 7341ac8..1b9ed12 100644
--- a/roles/murmur/tasks/main.json
+++ b/roles/murmur/tasks/main.json
@@ -25,6 +25,25 @@
 			"cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}"
 		}
 	},
+	{
+		"name": "ufw | check",
+		"check_mode": true,
+		"become": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "{{var_murmur_port | string}}",
+			"proto": "tcp"
+		}
+	},
 	{
 		"name": "service",
 		"become": true,
diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json
index 0ef3b0e..664b54c 100644
--- a/roles/nginx/tasks/main.json
+++ b/roles/nginx/tasks/main.json
@@ -9,6 +9,50 @@
 			]
 		}
 	},
+	{
+		"name": "ufw | check",
+		"become": true,
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port 80",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "80",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "ufw | allow port 443",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "443",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "auto reload",
+		"when": "var_nginx_auto_reload_interval == None",
+		"become": true,
+		"ansible.builtin.cron": {
+			"name": "nginx_auto_reload",
+			"disabled": true,
+			"minute": "0",
+			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
+			"day": "*",
+			"month": "*",
+			"weekday": "*",
+			"job": "systemctl reload nginx"
+		}
+	},
 	{
 		"name": "auto reload",
 		"when": "var_nginx_auto_reload_interval != None",
diff --git a/roles/proftpd/tasks/main.json b/roles/proftpd/tasks/main.json
index d277bc0..e5bf9a0 100644
--- a/roles/proftpd/tasks/main.json
+++ b/roles/proftpd/tasks/main.json
@@ -8,5 +8,34 @@
 				"proftpd-core"
 			]
 		}
+	},
+	{
+		"name": "ufw | check",
+		"check_mode": true,
+		"become": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port 20",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "20",
+			"proto": "tcp"
+		}
+	},
+	{
+		"name": "ufw | allow port 21",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "21",
+			"proto": "tcp"
+		}
 	}
 ]
diff --git a/roles/synapse/tasks/main.json b/roles/synapse/tasks/main.json
index fd44ce1..63e0e78 100644
--- a/roles/synapse/tasks/main.json
+++ b/roles/synapse/tasks/main.json
@@ -58,6 +58,25 @@
 			"dest": "/etc/matrix-synapse/homeserver.yaml"
 		}
 	},
+	{
+		"name": "ufw | check",
+		"become": true,
+		"check_mode": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		},
+		"register": "ufw_enable_check"
+	},
+	{
+		"name": "ufw | allow port",
+		"when": "not ufw_enable_check.changed",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "allow",
+			"port": "8448",
+			"proto": "tcp"
+		}
+	},
 	{
 		"name": "restart service",
 		"become": true,
diff --git a/roles/ufw/tasks/main.json b/roles/ufw/tasks/main.json
new file mode 100644
index 0000000..003e4b6
--- /dev/null
+++ b/roles/ufw/tasks/main.json
@@ -0,0 +1,45 @@
+[
+	{
+		"name": "install ufw",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"ufw"
+			]
+		}
+	},
+	{
+		"name": "ufw deny incoming",
+		"become": true,
+		"community.general.ufw": {
+			"direction": "incoming",
+			"proto": "any",
+			"policy": "deny"
+		}
+	},
+	{
+		"name": "ufw allow outgoing",
+		"become": true,
+		"community.general.ufw": {
+			"direction": "outgoing",
+			"proto": "any",
+			"policy": "allow"
+		}
+	},
+	{
+		"name": "ufw allow and rate-limit ssh",
+		"become": true,
+		"community.general.ufw": {
+			"rule": "limit",
+			"name": "ssh"
+		}
+	},
+	{
+		"name": "enable ufw service",
+		"become": true,
+		"community.general.ufw": {
+			"state": "enabled"
+		}
+	}
+]