roles/common: Use Abuse.ch's SSL Blacklist in nftables

This adds Abuse.sh's list of IPs using blacklisted SSL certificates
to nftables. These IPs are high confidence indicators of compromise
and we should not route them. The list is updated daily by a systemd
timer.

See: https://sslbl.abuse.ch/blacklist/

roles/common/files/update-abusech-nftables.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Update Abuse.ch SSL Blacklist IPs
+# This service will fail if nftables is not running so we use Requires to make
+# sure that nftables is started.
+Requires=nftables.service
+# Make sure the network is up and nftables is started
+After=network-online.target nftables.service
+Wants=network-online.target update-abusech-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-abusech-nftables
+ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
+          /usr/local/bin/update-abusech-nftables.sh
+
+[Install]
+WantedBy=multi-user.target