roles/common: Use Abuse.ch's SSL Blacklist in nftables

This adds Abuse.sh's list of IPs using blacklisted SSL certificates
to nftables. These IPs are high confidence indicators of compromise
and we should not route them. The list is updated daily by a systemd
timer.

See: https://sslbl.abuse.ch/blacklist/

roles/common/files/abusech-ipv4.nft

@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+define ABUSECH_IPV4 = {
+192.168.254.254
+}

roles/common/files/update-abusech-nftables.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Update Abuse.ch SSL Blacklist IPs
+# This service will fail if nftables is not running so we use Requires to make
+# sure that nftables is started.
+Requires=nftables.service
+# Make sure the network is up and nftables is started
+After=network-online.target nftables.service
+Wants=network-online.target update-abusech-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-abusech-nftables
+ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
+          /usr/local/bin/update-abusech-nftables.sh
+
+[Install]
+WantedBy=multi-user.target

roles/common/files/update-abusech-nftables.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+#
+# update-abuseipdb-nftables.sh v0.0.1
+#
+# Download IP addresses seen using a blacklisted SSL certificate and load them
+# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
+# 
+# See: https://sslbl.abuse.ch/blacklist
+#
+# Copyright (C) 2021 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
+abusech_list_temp=$(mktemp)
+
+echo "Downloading Abuse.sh SSL Blacklist IPs"
+
+abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
+
+if [[ $abusech_response -ne 200 ]]; then
+	echo "Abuse.ch responded: HTTP $abusech_response"
+
+	exit 1
+fi
+
+if [[ -f "$abusech_list_temp" ]]; then
+    echo "Processing IPv4 list"
+
+    abusech_ipv4_list_temp=$(mktemp)
+    abusech_ipv4_set_temp=$(mktemp)
+
+    # Remove comments, DOS carriage returns, and IPv6 addresses (even though
+    # Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
+    # that assumption some time down the line).
+    sed -e '/#/d' -e 's/
+//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
+
+    echo "Building abusech-ipv4 set"
+    cat << NFT_HEAD > "$abusech_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define ABUSECH_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$abusech_ipv4_set_temp"
+    done < $abusech_ipv4_list_temp
+
+    echo "}" >> "$abusech_ipv4_set_temp"
+
+    install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
+
+    rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
+fi
+
+echo "Reloading nftables"
+# The abusech nftables sets are included by nftables.conf

roles/common/files/update-abusech-nftables.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Update Abuse.ch SSL Blacklist IPs
+
+[Timer]
+# Once a day at midnight
+OnCalendar=*-*-* 00:00:00
+# Add a random delay of 0–3600 seconds
+RandomizedDelaySec=3600
+Persistent=true
+
+[Install]
+WantedBy=timers.target