Add nginx filter for fail2ban

Some hosts can use fail2ban's nginx-botsearch filter to ban anyone
making requests to non-existent files like wp-login.php. There is
no reason to request such files naively and anyone found doing so
can be banned immediately.

In theory I should report them to AbuseIPDB.com, but that will take
a little more wiring up.

roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2

@@ -0,0 +1,17 @@
+[nginx]
+enabled   = true
+# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
+filter    = nginx-botsearch
+{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
+# Integrate with nftables
+banaction=nftables[type=allports]
+{% else %}
+# Integrate with firewalld and ipsets
+banaction = firewallcmd-ipset
+{% endif %}
+logpath   = /var/log/nginx/*-access.log
+# Try to find a non-existent wp-login.php once and get banned. Tough luck.
+maxretry  = 1
+findtime  = {{ fail2ban_findtime }}
+bantime   = {{ fail2ban_bantime }}
+ignoreip  = {{ fail2ban_ignoreip }}