roles/common: re-work fail2ban and nftables

Re-work the fail2ban and nftables interaction. Use systemd's PartOf
to indicate that fail2ban is part of the nftables service, which
tells systemd to propogate stop/start signals to it. Then we tell
the firehol update script to restart nftables instead of reload.
The different between restart and reload is meaningless for nftables
but we want systemd to propagate the stop/start signals to fail2ban.

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -1,3 +1,7 @@
+[Unit]
+# If nftables is stopped or restarted, propagate to fail2ban as well
+PartOf=nftables.service
+
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes

roles/common/templates/update-firehol-nftables.sh.j2

@@ -58,8 +58,8 @@ NFT_HEAD
     rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
 fi
 
-echo "Reloading nftables"
+echo "Restarting nftables"
 
-/usr/bin/systemctl reload nftables.service
+/usr/bin/systemctl restart nftables.service
 
 rm -v firehol_level1.netset