diff --git a/ansible/inventory/host_vars/helsinki-a.yml b/ansible/inventory/host_vars/helsinki-a.yml
index 418aee7..6c9de61 100644
--- a/ansible/inventory/host_vars/helsinki-a.yml
+++ b/ansible/inventory/host_vars/helsinki-a.yml
@@ -10,6 +10,6 @@ docker_services:
   - forgejo
   - bitwarden
 
-ufw_allowed_ports:
-  - { port: 80, proto: tcp, comment: "HTTP" }
-  - { port: 443, proto: tcp, comment: "HTTPS" }
+common_ufw_allowed_ports:
+  - {port: 80, proto: tcp, comment: "HTTP"}
+  - {port: 443, proto: tcp, comment: "HTTPS"}
diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml
index 8249b70..a7a9fb7 100644
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 # UFW firewall defaults
-# Override ufw_allowed_ports in host_vars for public-facing services.
-ufw_enabled: true
-ufw_allowed_ports: []
-#   - { port: 80, proto: tcp, comment: "HTTP" }
-#   - { port: 443, proto: tcp, comment: "HTTPS" }
+# Override common_ufw_allowed_ports in host_vars for public-facing services.
+common_ufw_enabled: true
+common_ufw_allowed_ports: []
+#   - {port: 80, proto: tcp, comment: "HTTP"}
+#   - {port: 443, proto: tcp, comment: "HTTPS"}
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
index 9cde5e2..9897495 100644
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@@ -109,7 +109,7 @@
     default: deny
   when:
     - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool
   notify: Reload ufw
 
 - name: Set UFW default allow outgoing
@@ -118,18 +118,18 @@
     default: allow
   when:
     - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool
   notify: Reload ufw
 
 - name: Allow all traffic on Tailscale interface
   community.general.ufw:
     rule: allow
-    interface_or_direction: in
+    direction: in
     interface: tailscale0
     comment: "Tailscale mesh - allow all"
   when:
     - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool
   notify: Reload ufw
 
 - name: Allow SSH (safety net)
@@ -140,7 +140,7 @@
     comment: "SSH"
   when:
     - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool
   notify: Reload ufw
 
 - name: Allow host-specific ports
@@ -149,11 +149,11 @@
     port: "{{ item.port | string }}"
     proto: "{{ item.proto | default('tcp') }}"
     comment: "{{ item.comment | default(omit) }}"
-  loop: "{{ ufw_allowed_ports }}"
+  loop: "{{ common_ufw_allowed_ports }}"
   when:
     - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
-    - ufw_allowed_ports | length > 0
+    - common_ufw_enabled | bool
+    - common_ufw_allowed_ports | length > 0
   notify: Reload ufw
 
 - name: Enable UFW
@@ -161,4 +161,4 @@
     state: enabled
   when:
     - ansible_facts["os_family"] == "Debian"
-    - ufw_enabled | bool
+    - common_ufw_enabled | bool