fix: allow Docker bridge networks through UFW for runner + add unattended-upgrades

firewall.yml:
- Allow 172.16.0.0/12 and 10.0.0.0/8 on ports 80/443 so act_runner
  job containers can reach git.csrx.ru (Forgejo via Traefik)
- Without this, Cloudflare-only rules broke CI/CD pipeline

unattended_upgrades.yml (new):
- Install unattended-upgrades + apt-listchanges
- Configure auto-apply of security patches only (not all updates)
- Auto-clean every 7 days, remove unused deps
- No auto-reboot (manual control over kernel reboots)

base/tasks/main.yml:
- Add unattended_upgrades.yml to task sequence

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/base/tasks/firewall.yml

@@ -13,6 +13,28 @@
     proto: tcp
     comment: "Forgejo SSH"
 
+- name: Allow HTTP from Docker bridge networks (runner + internal services)
+  community.general.ufw:
+    rule: allow
+    port: "80"
+    proto: tcp
+    src: "{{ item }}"
+    comment: "HTTP from Docker networks"
+  loop:
+    - "172.16.0.0/12"
+    - "10.0.0.0/8"
+
+- name: Allow HTTPS from Docker bridge networks (runner + internal services)
+  community.general.ufw:
+    rule: allow
+    port: "443"
+    proto: tcp
+    src: "{{ item }}"
+    comment: "HTTPS from Docker networks"
+  loop:
+    - "172.16.0.0/12"
+    - "10.0.0.0/8"
+
 - name: Allow HTTP from Cloudflare IPs only
   community.general.ufw:
     rule: allow

roles/base/tasks/main.yml

@@ -2,6 +2,7 @@
 - import_tasks: packages.yml
 - import_tasks: swap.yml
 - import_tasks: sysctl.yml
+- import_tasks: unattended_upgrades.yml
 - import_tasks: users.yml
 - import_tasks: sshd.yml
 - import_tasks: firewall.yml

roles/base/tasks/unattended_upgrades.yml

@@ -0,0 +1,46 @@
+---
+- name: Install unattended-upgrades
+  ansible.builtin.apt:
+    name:
+      - unattended-upgrades
+      - apt-listchanges
+    state: present
+
+- name: Configure unattended-upgrades
+  ansible.builtin.copy:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    content: |
+      Unattended-Upgrade::Allowed-Origins {
+          "${distro_id}:${distro_codename}-security";
+          "${distro_id}ESMApps:${distro_codename}-apps-security";
+          "${distro_id}ESM:${distro_codename}-infra-security";
+      };
+
+      // Automatically reboot if required (kernel updates etc.)
+      Unattended-Upgrade::Automatic-Reboot "false";
+
+      // Remove unused dependencies
+      Unattended-Upgrade::Remove-Unused-Dependencies "true";
+      Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+      // Send email on errors (optional — comment out if no mail)
+      // Unattended-Upgrade::Mail "admin@csrx.ru";
+
+      // Minimum age of packages before auto-removing
+      Unattended-Upgrade::MinimalSteps "true";
+    mode: "0644"
+
+- name: Enable automatic upgrades
+  ansible.builtin.copy:
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+      APT::Periodic::AutocleanInterval "7";
+    mode: "0644"
+
+- name: Ensure unattended-upgrades service is running
+  ansible.builtin.systemd:
+    name: unattended-upgrades
+    state: started
+    enabled: true