roles/common: Add initial support for nftables on Debian 11

I will try using nftables directly instead of via firewalld as of
Debian 11 as it is the replacement for the iptables/ipset stack in
recent years and is easier to work with.

This also includes a systemd service, timer, and script to update
the spamhaus DROP lists as nftables sets.

Still need to add fail2ban support.

roles/common/handlers/main.yml

@@ -15,3 +15,6 @@
 
 - name: reload systemd
   systemd: daemon_reload=yes
+
+- name: reload nftables
+  systemd: name=nftables state=reloaded