roles/common: Use Abuse.ch's SSL Blacklist in nftables

This adds Abuse.sh's list of IPs using blacklisted SSL certificates
to nftables. These IPs are high confidence indicators of compromise
and we should not route them. The list is updated daily by a systemd
timer.

See: https://sslbl.abuse.ch/blacklist/

roles/common/templates/nftables.conf.j2

@@ -9,6 +9,9 @@ flush ruleset
 include "/etc/nftables/spamhaus-ipv4.nft"
 include "/etc/nftables/spamhaus-ipv6.nft"
 
+# Lists updated daily by update-abusech-nftables.sh
+include "/etc/nftables/abusech-ipv4.nft"
+
 # Notes:
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
@@ -26,6 +29,11 @@ table inet filter {
         elements = $SPAMHAUS_IPV6
     }
 
+    set abusech-ipv4 {
+        type ipv4_addr
+        elements = $ABUSECH_IPV4
+    }
+
     chain input {
         type filter hook input priority 0;
 
@@ -39,6 +47,9 @@ table inet filter {
         ip saddr @spamhaus-ipv4 counter drop
         ip6 saddr @spamhaus-ipv6 counter drop
 
+        # Drop packets matching the abusech set early.
+        ip saddr @abusech-ipv4 counter drop
+
         # Allow loopback traffic.
         iifname lo accept
 
@@ -83,5 +94,8 @@ table inet filter {
         # Drop outgoing packets matching the spamhaus sets too
         ip daddr @spamhaus-ipv4 counter drop
         ip6 daddr @spamhaus-ipv6 counter drop
+
+        # Drop outgoing packets matching the abusech sets too
+        ip daddr @abusech-ipv4 counter drop
     }
 }