proposal.md 676 B
Why
The base role enables UFW with a default-deny policy before adding the SSH port allow rule. This creates a window where the firewall is active with no allow rules, which can drop the active Ansible SSH connection and lock out the user after the first initialization stage.
What Changes
- Reorder UFW tasks in
roles/base/tasks/main.yml: allow SSH and other ports before enabling UFW with the deny policy
Capabilities
New Capabilities
Modified Capabilities
Impact
roles/base/tasks/main.yml: task reordering only, no functional changes