docs: Add planning, lessons learned, requirements, and firewall documentation

FIREWALL.md

@@ -0,0 +1,9 @@
+# Firewall Configuration
+
+Based on the deployment plan, the following ports need to be opened on the firewall for the host **Scully**:
+
+*   `80/tcp`: For HTTP traffic, primarily used by Let's Encrypt for certificate validation.
+*   `443/tcp`: For HTTPS traffic to access all web services.
+*   `51820/udp`: For the WireGuard VPN tunnel.
+
+No ports need to be opened on the firewall for the host **Mulder**, as Gitea will be accessed through the reverse proxy on Scully.

LESSONS_LEARNED.md

@@ -0,0 +1,6 @@
+# Lessons Learned
+
+*   The `network` role in this repository is a powerful tool that sets up a complete network stack, including Nginx Proxy Manager for reverse proxying and `wireguard-easy` for a WireGuard web UI.
+*   The `gitea` and `postgres` roles use Docker Compose to deploy their respective services.
+*   Properly managing variables, especially secrets like passwords and API keys, is crucial. Using `group_vars` and a `.gitignore`d `secrets` directory is a good practice.
+*   It's important to have a clear plan and get user feedback before making any changes. The "planning mode" and "acting mode" paradigm is a good way to structure the workflow.

REQUIREMENTS.md

@@ -0,0 +1,13 @@
+# Project Requirements
+
+*   Deploy Ansible scripts to two hosts: Mulder and Scully.
+*   Use a Git repository for version control of the Ansible playbooks.
+*   Manage SSH keys securely within the project.
+*   Deploy Gitea on Mulder.
+*   Deploy Keycloak on Scully.
+*   Apply a `common` set of configurations to both hosts.
+*   Set up a reverse proxy with Nginx on Scully.
+*   Secure all web services with HTTPS and Let's Encrypt certificates.
+*   Access services via subdomains (e.g., `gitea.my-url.com`, `keycloak.my-url.com`).
+*   Provide a web interface for managing WireGuard.
+*   The user wants to be involved in the planning process and approve all changes before they are applied.