roles/common: Wire up fail2ban

The nftables support works easily and creates the table, chains, and
sets on demand.

roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2

@@ -2,8 +2,13 @@
 enabled   = true
 # See: /etc/fail2ban/filter.d/sshd.conf
 filter    = sshd
+{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=') %}
+# Integrate with nftables
+banaction=nftables[type=allports]
+{% else %}
 # Integrate with firewalld and ipsets
 banaction = firewallcmd-ipset
+{% endif %}
 backend   = systemd
 maxretry  = {{ fail2ban_maxretry }}
 findtime  = {{ fail2ban_findtime }}