roles/common: Add ipsets of abusive IPs to firewalld

This uses the ipsets feature of the Linux kernel to create lists of
IPs (though could be MACs, IP:port, etc) that we can block via the
existing firewalld zone we are already using. In my testing it works
on CentOS 7, Ubuntu 16.04, and Ubuntu 18.04.

The list of abusive IPs currently comes from HPC's systemd journal,
where I filtered for hosts that had attempted and failed to log in
over 100 times. The list is formatted with tidy, for example:

    $ tidy -xml -iq -m -w 0 roles/common/files/abusers-ipv4.xml

See: https://firewalld.org/2015/12/ipset-support

roles/common/tasks/firewall_Debian.yml

@@ -21,6 +21,15 @@
     command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
     notify:
       - reload firewalld
+
+  - name: Copy ipsets of abusive IPs
+    when: ansible_distribution_major_version is version_compare('8', '>=')
+    copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
+    loop:
+      - abusers-ipv4.xml
+      - abusers-ipv6.xml
+    notify:
+      - reload firewalld
   tags: firewall
 
 # vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -17,6 +17,15 @@
     command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
     notify:
       - reload firewalld
+
+  - name: Copy ipsets of abusive IPs
+    when: ansible_distribution_major_version is version_compare('15.04', '>=')
+    copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
+    loop:
+      - abusers-ipv4.xml
+      - abusers-ipv6.xml
+    notify:
+      - reload firewalld
   tags: firewall
 
 # vim: set sw=2 ts=2: