Remove extra TCP ports from firewall rules

Now all web hosts get TCP 80 and 443 open automatically.

host_vars/web19

@@ -1,93 +1,90 @@
 $ANSIBLE_VAULT;1.1;AES256
-61656664353138633065303035666561313533626634653961653463386162663835383330353538
+65663536313134623237366561313432326563363838633136343935646463366365623639663431
-3937313464323231366361353036303262316537623035640a653039616137663862313235376435
+3936643964663264616638343262306431303531306636370a636564383532343736333131393036
-62623932373034326334376162336237306365326531356338366638643361626461663066303161
+37396335336638383531623437653836393830616134353637366563383064383464343637383563
-3736316264346666650a396436643233343365646232383333366133323334386438623464616265
+3961623466653065360a636538346465303137346566383361323664613862313331363165326336
-34333435626465343363363339383634633461326330616533373361623535633262303962316562
+63383439633731653037396439346637336563346536303139383765333435633130613737393561
-35306533616238346164313430366633636365316365613030323231336438613832383839633931
+61333836663431303165663265636562306462633138643665663433613838623035366133386331
-66323438303961636130653636313765333631393138653664643533373366333466376663386134
+64656139623336333332666664353430323334396534663764313964656231623630653365396336
-35353139366462663337613232323937653231626365386539653837613830333830643564616366
+35383239326432323263653562653466323765636264353536373439303833633934386632363063
-30373938326233383536353230376163393962653933663262376664626437656363346132643038
+34373033356538343637653063393335373735613136393965326231646630643330343463343634
-66373037386666313266303639663735373333616230333637393133376133323234323737646462
+37613461303564323934393739313666653138306566643039343463636532316462336239643234
-31323731336135616264633137303534383664333439613836333037323036633661666536636235
+62393330326163396564393038383438376633313262613832653363613666353232616534343833
-34363239313938326361366634313562626339613237346131393234333132656534666232343239
+32643661346339333664366239613437383435393061333365303935303363613031313365336631
-66346539626264363163313435376665313266366337646531343661323665633634633961376466
+30303163383061383266633434323937633962396663643265336537316431623532363365373263
-34323637363161653035353631633865323133656334383332646233653637383838343763303231
+66333165613666356633636562306138326363336233646634313531653765636531386338343239
-66376466303531336438396466626233386232616330626365386536663265316637366166336163
+35383433366564663938363739633364393131643866383937316135646166323031653261633930
-64643433336263643831313737613139616236653332616462636438643362366635333739383132
+30323234633430366361666563633432383636323638643130323164393466623062353536306465
-35323133363565313164396635303335626537636636633266303862396536643535343430616233
+32613463343334323763316337636266633763613862376562393638643664643362653033303936
-63613332613937656230333438616632313963386462656332373730343633663062356533326435
+39323164346465636137343239663264336463623632353633653333343566623835636331633833
-33613964323866643437616439353462373435343462616139393934663861653666353566666433
+37323762303830373234643362623731336266326335353764356465386332306366303031343766
-37396366356634613637306362393161643332623432326633376564666130646333316265656363
+35353263306161363530633464376534316231373262643066323233633365323962313466326432
-33383631616637343237633532303137613466626262616166333763313334656438656534366566
+65656239333737393164636437633234376330386466663661626632356435653362663566396263
-37613762623538336161643035393532383639653639376434316539663066626563633063303635
+65316466396636386632333438623961323938653139623265616239653564376430343363346336
-39333563636535343535333739353834626239303666323137356434656630343731626639646637
+64363837303063626366373466383934646434343334383736373561393235613637653532396562
-64306265313036363234303965396462633630653733363263303130343536656637356135356466
+30346238393130343462653864656365326535353864613034326630653465333935303038363663
-63353339353735646466643464613535323538343030653636366563643238303137313662646631
+34663462633930613264333534616334633733663061326163313663313936326364393265333335
-38363233386462396166383237396533343737383836623234663965343136643339626238663931
+31313730623937356166326263613765323163643633616534346466363965366464303464326438
-35343630303833396538663236363039656463643336333238656661316566353033353839646565
+65393631636131393736353663383938663762326537643135363337316466353430616364303037
-65306338313366666165643962303465663438316233356661643162663237393437343332623833
+64373837613466613032653137323564303937626339626638663666613134613036373938323432
-39353837316363633937396537336166333736613162363632363864356663333938313533303166
+33663135366639363339376236363430363464663862386665643530363835336339646535363931
-31633862633139303639386237386535393562303836663331663234643239666662663463393230
+36346430623934343061663463396636306531663134643363313839306461393461666334393231
-65333938333833613165636438666664336539323162616333623564333835353363396439353961
+30633364313335386362303532373534616336643835313062313862636261363562396638623833
-64616666346336396535356635626565656233306538323333316462353837346562613663646630
+36653932656163373832653738643864353964303736303339343738616137326234636133303334
-66633165653236363038396139633662323931343731343134373034636536633232323066613161
+34653732386433343434633933373834636136646632306536313162313864313339653631346464
-30613836613437666161623734356539626238343935616666643439636639636563656533366266
+32393766303963316639643730613334396562333734393063333762333862663739333964316637
-35313430633263623862643335393232386338353761383038303733656164356133323061666536
+37616630383932656133313137623435626133666537313837663438663663623964386363353233
-33643933626664613935313039336438633539373735376434353862313264653934613637323533
+36343138633933336633306133356136663130313963333066356665643932623362383630323566
-65323336373536626437313064376661373530623466323366393064623439396631393732653561
+63363933653131303630313366373361366264663866333464623963613635323334636538376635
-31326262663162656661666633663264396334656636626461316231613864316466366637373666
+66323436356331616461663235613361643732316235626136653664306138363434383532373466
-38636339383739646139363865366232323564333934356331353666393531666263646663366330
+35643233333039666133626435393737383930623734336164366432363132303538313637363364
-61353934613934663232373031646133303331656338626534343930393831353633646361383139
+63393738393139303264653763643263613363343738343938616636636530323362323631363633
-35343762336530386138633762623062353337613538306134323466386534353836616334373730
+61336565333961636335613162383733353634346662336431396565343239326232613966373739
-66366361373537336664663831353265353935383963306636656561336164666131313966373431
+31353563323763353862663161346538346139363064653761303331393036636439313632666464
-33366131396466613835636636353734386262666534323331343235623166356438613636383633
+37356165346264333761346137386435323435623162393138613166613163333330613135613831
-35393566656263653330393930366133346566313439323462333865323330663630303838346331
+32653130343034666464343564616138393462386637653938396163303737303161386231306265
-61633734623862313835306433383466663935633338616633323730666362613931666661343037
+35306163653839313034316364653061626439353434336432323262363633623330613561323038
-62643731366465353337396138653630366536653261313134643831376461353634636662666537
+66383331323631323437306536623566653966303332663535316631626262343662623730393963
-64373835633331356535393436616265333035616139393331363130306234323331663539666266
+35343636396138326431393263663665633230623364643232626538633131653939623131613434
-61343838313930666463316138643831316134376139386233306663626562616565343662316638
+66626439656365393733613265333438613462656563303262363937616132656464666339633336
-35303232346638353530386537646139656233633963303564613634356436396530353235613039
+39323535616531666263623665326239396231383939616166613366393430636435313866323132
-64393734383563323337373963353834386433633666356166666136346439623666663363366661
+66396332396265353633626332306230653736313439386635643236313664653337366635303861
-64333431623563656361376530373762346563343134393439346130336138396436383835316138
+31636333336666653137343432646438353066643766383438663237646130353135333764613866
-35636637336162346234373837386263343035613537346666303634393730643665373734613333
+61613035613266623464626639393534626236666161386262373634353232303230336130363037
-32653465616634666161313232353030633135346438376432666563356634333136386262636136
+34366435383831313863653762616163373632636363306337353765386232306534306433656339
-64653735623737333833366434343337643864306339316461623139613633313730356237663930
+66353532303637373232376134383838303736353131383464386461303839336238643463326662
-32316638363131623766353134656431326630636165363236633465393263383933353234336530
+61333663323536613539313730396236666135346535633537616365313033363732643631323431
-31346438616434646239633661343431343633306436353561393334336533343866316237343164
+33613037346663623539666538386339653531353432383930363235616565343262353138643833
-39633132363134313935663234323231663032333933376339656137376333366363663330343066
+38653531663962316236313437616662663931646464323763333064303432656537613363383032
-64306431383362643935663963383238356462663964383664636436313136373162356534353165
+33333837383332616238316165343863613864393235363537376264653961373465656333366639
-64306566313435663839666564643530666432343763663636306637326338376366373133616438
+39366439316663303865656366343565343366353566363331616632363830613037366162663437
-32623963313164323130323839323331643138653266343064393536373538656566623965366434
+35663661646133343263343264313430303432363566343164633762663361396462643162626137
-35306161393763333836623833383233613839393761643532626631646461396265653632633461
+30373233326533313266373630356530643732343235653764636363393034363537326265363730
-61656137393235306162366262663762346164643964363730373536616362386365653437313461
+33363333373633393764643032303732356464636263333039323364643337343339613762633732
-37353231353338336539636361386438333664393530646335633461336435626663653830356466
+38353364313231613563326534636434376532333736613937313463636431623762353134313863
-36623964623635393436386361643331373864646233316463643261383431333163373430306535
+36666638616433653139333234316638633835626634343139363861633239643430623364633336
-62653539396265643365623431393430383663386131376163393538343261653362663433666433
+31363630306131376231646535323437633733666537316662663439666130343966633938356538
-35306634313131353532626461643930386338356561326533393363323037383133306637313339
+31646132613161383264306139396239663638336165326238386461303961323837346435356464
-38376332613632363265613033393332613837333936303065623332346164333162316161383932
+39623862636235323662356265666235613238396263396337353065396535363165613439663063
-36363966313331373463616236306439343364323032623865306262663663336636613936336337
+35323361353037353263393965303334393136386138633734303632326631343035666562373565
-33316263653139393035306361333631303437303337613830316536633030346539653764366666
+37313833323533326164643430333839643138386237376465643465663439383939323534303538
-35666535353235373431626166663366356432306439653335393832633531336266366639373762
+61633237643637313832663338373938373935656166323432383763396236326430653666623165
-62383566363033663161336130363739343037313438643633636666343733313532396439303137
+39616638383862616639316261666335666131643866663534313731326461346437323236623966
-39636534383638623461623832653766633865656662363334303161323532623137323434373633
+34343735626630373265353330373738613762333264626666353936373230366133626134306634
-62666633316133396239363936323862616234373535386534653166653731396334633064353466
+31633131636165663362616434653061373532666534643866613861366461316461653163633063
-37646464646437343263663361616163346665376661363963623536333965653062383939353362
+61333231306363653763326264303165323461653234613337313064313035633866653762393363
-64373131333263316232313261646132376233333165643137643931336539353531336638303831
+66376338336635653966636361636566353135373930643432346236336564303632303636356165
-63383261666261393037316437336538376530396333336339633664326365346332616335636538
+33653038613664636362353461326164376163653634373737643762636631396461313662633361
-61356336666236306133323431393763653336636132343335656238356131366432626266656539
+61356335376235376363333465616230373937663330646430663237306465653266313865353038
-36343262313464653733396437623339633138353163656165353363393233316632303135626635
+66303938303734643633656561653439316365623833333438393963386565363162363731316239
-62643735323137376633316662343335373663643539353934623538666164363135643034613566
+38383531613238333633306432643062313930613733343735643637303438626638333734303362
-37356138376463366235626232343231323935633339643234626537653931613166633337366563
+33333566346664366536656333643235636635343639653863336266633939616563333964613963
-38383761356262386537373136366131323330383834326534623830616435316633393730396533
+31336237666234616136353033663031346666383564626265303835326437353437653531616336
-36343732386261616461313836346131656331396438366431636361643539666264383439643661
+62376264353839363566303130393537633565646332343966333331323538343333623766656363
-62626332363266393439653137653438343431633933653930383762323439636137363834623834
+62373633366665653163653530626230313530346430363536303132623664646166316438333038
-36366533633363623731383161363535346632313965616539373364623835333733333766356462
+35306334383766333264323235623866633331636433336263313334633331303662623263343162
-38363838636364383037633230336636363565613231326638306432393634343865356632323638
+31663331643336623431333364633863653333393361313064616236643431633963366331323262
-32353931656564653361373665393065396337346435343638626265333038653730613731393230
+63656238373433396165333239666332653839363431663164373261386664376161656534663134
-64316264383039353663613962643734356661313761626638363063626333633330613536353830
+36653435333563376536396536653464346430326565653561353361323635656137616632353633
-38653063656363663532366632376638313339613764363931303861626132663566636234613836
+39363036643837306431623335646230643533353334656137313666376337633832653862313830
-64343161646634316139616236366234666335633163613565336539386439373038366362353337
+38306639303137633364353561386435653663326534393364313163663964366539
-38323133633637653537363161366231393362303161343130666261663936383866333762316631
-32313332336333626362333037613331343230646532396465653634396638303637656535306532
-31623135346332613133

host_vars/web20

@@ -1,40 +1,38 @@
 $ANSIBLE_VAULT;1.1;AES256
-61636430353563303666303437643561616133666338653866366366396630313131313437643862
+34326537633464633537356334326565663133373634616635346466646239653334373235316234
-6361363036623637623463653734373166353634663666320a313533626237633165353232363330
+3766373939636238643137646430376534306331636333620a343535343563663237633034653936
-64306366363162376334363738383966343762633339363065356337336230373262363132306365
+36393639633362643835653863633937663734333965363932623438306436613139346538313762
-6438313136313538650a323763633066616135623535383739386364633132633263363236343966
+3165303261303563380a393435316132373564663063663566623833336638393237326335333136
-36363033613936383261663061633032353735373334356539326663366137653534646162343238
+34323738383266626566326439363064366563353035643833633835626533306539383532326239
-33663633633562343964386464613735663662346133316137396263626137643565353566333564
+31303933386265643264376336393633613432343263346330353736323066626538363162643461
-65353038396631646262306361356539343532303535386330396331333832613230346665396535
+66366335656164313865373065636433333030656534356461663730613363613531653934636663
-30353339653661396238336261333865616666623664663861356238626465316661616133363364
+39636234623765386132663561613335373264326566663230653437376136303138393638363564
-33623137306136653666333135633136336364373763346332633536306630306463303837656330
+66386661653736373033616365336637343835316632336631306637643166366534303762626536
-39613163383461373638623931333936383861616462383466656236303835326533363763333439
+31376233626662646635376465626136653962616265346365643531363632643930653032306131
-33343966353136613434313330613638316366373065343663626230336136663033663862333262
+33653133363931666135663237323133653461323038653535633138653837363030363464323464
-39383430363861343330313633343836343733336366316563313731343462376361646538343361
+37663661643139343638393137636532303866623132303632353863353736323536313832373931
-35306331666631313566303838653737333230386436323038366639316532373739366530353464
+37366334636139396264656538336465666463393764326639366465613662343965393339623165
-64396331383238623366666132376564646439386465666533656136386263393333396564343063
+62303732316632343062313432316265356564376336633935373131333161396332346431633633
-62623235666561356333663763313266623034613263303265663336373531666233303234373531
+31313238376435326662613461373931356633336538613939356166363631646538373862636139
-30346133363264396464333031393266316634393136343538313561396661383239383361633530
+31376533323966663838366332613331313365643539643861626263303436316231623833626537
-65396636313162323839623139613164613766336438366166623739633164323537353964643437
+34333733393935326534343038633463363964393263396531383635633437376633616461656361
-63333461613966643362633131313735306435663638366635333335633465633531613937396265
+32613634643931666461363332353762623064306632303564633633373565373930326134313765
-66646530366165643235326230633431643332616562316662646633346336613936623434616361
+31613130326335323363306335303662376262383738383531303937346366333137373961393066
-32356637353932633662323233373965633462623839643534323762303934633231303435626339
+39663936636265386236646536666466653938663135386463346231626566303035616330643063
-64663761356639313535323361363161333864333435643131663963316636623239333963396432
+30363362643637303634636165313539383039653164653166656335333763666435323762613838
-36376561353661383831623535383466366238346361386438653739386632633134643134643662
+39306463643937306435376336616466376337633132326365313939363463613739663638663962
-35376239383736343365376565616631383633636363626434313663616336313565366239383332
+65303533663533303862383631363432636464653437376335376131333739663164336161356630
-32336336326163343537343062383636656233666238633433643331363764623765613862323238
+66323535306232333330383832356437653539393363336630303639626365613463363364353464
-61626630666566623266363465333830636138616639663132393333343563653138663633316364
+65356162346430636166343636663735393838636332396261343065363862346638323132323363
-30663537633031663066346461343562346438646539376434353565303564356165336463326237
+65343439383937633138303039376336333130313763326331373262343461626434633866383135
-39393932636431323130633035343535316436653835366233633362393839363365656665363464
+62306163613639646137386630643631383462653738313535333863663431303437383236643435
-32373834613364623333383563633236343264386463366433373530313837353636376139343532
+63643463323537633764653464366235633466663839333265663734663038366666336635363064
-30653431313235663036626135616139666365666539643163396666373939323437363762306339
+30343639353665336237363530313531363866376237656333313236643035383031646134653765
-39613638663137663737336531333937393965373765626161393837656264303362623235323764
+37616636613364613163343735633366303832633964633564356362643337613532396262393631
-37383637353765613031306536326537646338343538636163326338636137343636373335386232
+32373464343338636231323435393163346339646263333234636432313434333334636565333737
-37363263376561623934313766323836353735626538346639353365656664306266303863343434
+64363536666662656262393931646632303532373664616434316465393836336565343362616138
-37306435323837343830633336303562653737303134633266343238356430383466396561323938
+63666263653231353732336365383465623236656239653136323765653132376237306163653062
-36653536666133663963393735323764666132343233636435336431613831336561303331363236
+30316134623161323935383536353939393565313138333664646539663337383236336631303265
-31643035376165303337386331323762616361666437313531666432616439393233666631326366
+65363164626130633131636535623965383031353735373734656166633230303965303236626134
-61313237393737633639353864663134393539363562376236646239616438373437623734313635
+64633536366238336630366138323462653263653238343839393365383162366333333664646261
-34376161633738343164323762343665306664386430313439303935333135316561326138643532
+3638
-34623235383662386335646535616237366366303539383237666462613835633938383462646130
-363931303435656133356261366538633266

roles/common/files/aggregate-cidr-addresses.pl

@@ -0,0 +1,89 @@
+#!/usr/bin/perl
+#
+# aggregate-cidr-addresses - combine a list of CIDR address blocks
+# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see L<http://www.gnu.org/licenses/>.
+#
+# [MJS 22 Oct 2001] Aggregate CIDR addresses
+# [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
+# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
+# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
+# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
+
+use strict;
+use warnings;
+use English qw( -no_match_vars );
+use Net::IP;
+
+## Read in all the IP addresses
+my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
+    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
+
+## Split any ranges into prefixes
+@addrs = map {
+    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
+        $_->find_prefixes
+} @addrs;
+
+## Sort the IP addresses
+@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
+
+## Handle overlaps
+my $count   = 0;
+my $current = $addrs[0];
+foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
+    my $r = $current->overlaps($next);
+    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
+        $current = $next;
+        $count++;
+    }
+    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
+        $current = $next;
+        splice @addrs, $count, 1;
+    }
+    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
+        splice @addrs, $count + 1, 1;
+    }
+    else {
+        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
+    }
+}
+
+## Keep aggregating until we don't change anything
+my $change = 1;
+while ($change) {
+    $change = 0;
+    my @new_addrs = ();
+    $current = $addrs[0];
+    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
+        if ( my $total = $current->aggregate($next) ) {
+            $current = $total;
+            $change  = 1;
+        }
+        else {
+            push @new_addrs, $current;
+            $current = $next;
+        }
+    }
+    push @new_addrs, $current;
+    @addrs = @new_addrs;
+}
+
+## Print out the IP addresses
+foreach (@addrs) {
+    print $_->prefix(), "\n";
+}
+
+# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

roles/common/files/spamhaus-ipv4.nft

@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+define SPAMHAUS_IPV4 = {
+192.168.254.254/32
+}

roles/common/files/spamhaus-ipv6.nft

@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+define SPAMHAUS_IPV6 = {
+fd21:3523:74e0:7301::/64
+}

roles/common/files/update-spamhaus-nftables.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Update Spamhaus lists
+# This service will fail if nftables is not running so we use Requires to make
+# sure that nftables is started.
+Requires=nftables.service
+# Make sure the network is up and nftables is started
+After=network-online.target nftables.service
+Wants=network-online.target update-spamhaus-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-spamhaus-nftables
+ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
+          /usr/local/bin/update-spamhaus-nftables.sh
+
+[Install]
+WantedBy=multi-user.target

roles/common/files/update-spamhaus-nftables.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+#
+# update-spamhaus-nftables.sh v0.0.1
+#
+# Download Spamhaus DROP lists and load them into nftables sets.
+# 
+# See: https://www.spamhaus.org/drop/
+#
+# Copyright (C) 2021 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
+spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
+
+function download() {
+    echo "Downloading $1"
+    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
+}
+
+download drop.txt
+download edrop.txt
+download dropv6.txt
+
+if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
+    echo "Processing IPv4 DROP lists"
+
+    spamhaus_ipv4_list_temp=$(mktemp)
+    spamhaus_ipv4_set_temp=$(mktemp)
+
+    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
+    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
+    # ranges to work around a firewalld bug.
+    #
+    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
+    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
+
+    echo "Building spamhaus-ipv4 set"
+    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define SPAMHAUS_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$spamhaus_ipv4_set_temp"
+    done < $spamhaus_ipv4_list_temp
+
+    echo "}" >> "$spamhaus_ipv4_set_temp"
+
+    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
+
+    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
+fi
+
+if [[ -f "dropv6.txt" ]]; then
+    echo "Processing IPv6 DROP lists"
+
+    spamhaus_ipv6_list_temp=$(mktemp)
+    spamhaus_ipv6_set_temp=$(mktemp)
+
+    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
+
+    echo "Building spamhaus-ipv6 set"
+    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
+#!/usr/sbin/nft -f
+
+define SPAMHAUS_IPV6 = {
+NFT_HEAD
+
+    while read -r network; do
+        echo "$network," >> "$spamhaus_ipv6_set_temp"
+    done < $spamhaus_ipv6_list_temp
+
+    echo "}" >> "$spamhaus_ipv6_set_temp"
+
+    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
+
+    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
+fi
+
+echo "Reloading nftables"
+# The spamhaus nftables sets are included by nftables.conf
+/usr/sbin/nft -f /etc/nftables.conf
+
+rm -v drop.txt edrop.txt dropv6.txt

roles/common/files/update-spamhaus-nftables.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Update Spamhaus lists
+
+[Timer]
+# Once a day at midnight
+OnCalendar=*-*-* 00:00:00
+# Add a random delay of 0–3600 seconds
+RandomizedDelaySec=3600
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/common/handlers/main.yml

@@ -15,3 +15,6 @@
 
 - name: reload systemd
   systemd: daemon_reload=yes
+
+- name: reload nftables
+  systemd: name=nftables state=reloaded

roles/common/tasks/firewall_Debian.yml

@@ -1,7 +1,9 @@
 ---
+# Debian 11 will use nftables directly, with no firewalld.
 
 - block:
   - name: Set Debian firewall packages
+    when: ansible_distribution_major_version is version('10', '<=')
     set_fact:
       debian_firewall_packages:
         - firewalld
@@ -9,12 +11,43 @@
         - fail2ban
         - python3-systemd # for fail2ban systemd backend
 
-  - name: Install firewalld and deps
+  - name: Set Debian firewall packages
-    when: ansible_distribution_major_version is version('9', '>=')
+    when: ansible_distribution_major_version is version('11', '>=')
-    apt: pkg={{ debian_firewall_packages }} state=present
+    set_fact:
+      debian_firewall_packages:
+        - fail2ban
+        - libnet-ip-perl # for aggregate-cidr-addresses.pl
+        - nftables
+        - python3-systemd
+
+  - name: Install firewall packages
+    apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
+
+  - name: Start and enable nftables
+    when: ansible_distribution_major_version is version('11', '>=')
+    systemd: name=nftables state=started enabled=yes
+
+  - name: Copy nftables.conf
+    when: ansible_distribution_major_version is version('11', '>=')
+    template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
+    notify:
+      - reload nftables
+
+  - name: Create /etc/nftables extra config directory
+    when: ansible_distribution_major_version is version('11', '>=')
+    file: path=/etc/nftables state=directory owner=root mode=0755
+
+  - name: Copy extra nftables configuration files
+    when: ansible_distribution_major_version is version('11', '>=')
+    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
+    loop:
+      - spamhaus-ipv4.nft
+      - spamhaus-ipv6.nft
+    notify:
+      - reload nftables
 
   - name: Use iptables backend in firewalld
-    when: ansible_distribution_major_version is version('10', '>=')
+    when: ansible_distribution_major_version is version('10', '==')
     lineinfile:
       dest: /etc/firewalld/firewalld.conf
       regexp: '^FirewallBackend=nftables$'
@@ -26,7 +59,7 @@
 # backend. Using individual calls seems to work around it.
 # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
   - name: Use individual iptables calls
-    when: ansible_distribution_major_version is version('10', '>=')
+    when: ansible_distribution_major_version is version('10', '==')
     lineinfile:
       dest: /etc/firewalld/firewalld.conf
       regexp: '^IndividualCalls=no$'
@@ -35,24 +68,69 @@
       - restart firewalld
 
   - name: Copy firewalld public zone file
-    when: ansible_distribution_major_version is version('9', '>=')
+    when: ansible_distribution_major_version is version('10', '<=')
     template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
 
   - name: Format public.xml firewalld zone file
-    when: ansible_distribution_major_version is version('9', '>=')
+    when: ansible_distribution_major_version is version('10', '<=')
     command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
     notify:
       - restart firewalld
 
-  - name: Copy ipsets of abusive IPs
+  - name: Copy firewalld ipsets of abusive IPs
-    when: ansible_distribution_major_version is version('9', '>=')
+    when: ansible_distribution_major_version is version('10', '<=')
     copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
     loop:
       - abusers-ipv4.xml
       - abusers-ipv6.xml
+      - spamhaus-ipv4.xml
+      - spamhaus-ipv6.xml
     notify:
       - restart firewalld
 
+  - name: Copy Spamhaus firewalld update script
+    when: ansible_distribution_version is version('10', '<=')
+    copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
+
+  - name: Copy Spamhaus firewalld systemd units
+    when: ansible_distribution_version is version('10', '<=')
+    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    loop:
+        - update-spamhaus-lists.service
+        - update-spamhaus-lists.timer
+    register: spamhaus_firewalld_systemd_units
+
+  - name: Copy Spamhaus nftables update scripts
+    when: ansible_distribution_version is version('11', '>=')
+    copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
+    loop:
+      - update-spamhaus-nftables.sh
+      - aggregate-cidr-addresses.pl
+
+  - name: Copy Spamhaus nftables systemd units
+    when: ansible_distribution_version is version('11', '>=')
+    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    loop:
+        - update-spamhaus-nftables.service
+        - update-spamhaus-nftables.timer
+    register: spamhaus_nftables_systemd_units
+
+  # need to reload to pick up service/timer/environment changes
+  - name: Reload systemd daemon
+    systemd: daemon_reload=yes
+    when: spamhaus_firewalld_systemd_units is changed or
+          spamhaus_nftables_systemd_units is changed
+
+  - name: Start and enable Spamhaus firewalld update timer
+    when: ansible_distribution_version is version('10', '<=')
+    systemd: name=update-spamhaus-lists.timer state=started enabled=yes
+    notify:
+      - restart firewalld
+
+  - name: Start and enable Spamhaus nftables update timer
+    when: ansible_distribution_version is version('11', '>=')
+    systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
+
   - include_tasks: fail2ban.yml
     when: ansible_distribution_major_version is version('9', '>=')
   tags: firewall

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,7 +1,14 @@
 ---
+# Ubuntu 20.04 will use nftables directly, with no firewalld.
+# Ubuntu 18.04 will use firewalld with the nftables backend.
+# Ubuntu 16.04 will use firewalld with the iptables backend.
 
 - block:
+  - include_tasks: firewall_Ubuntu_cleanup.yml
+    when: ansible_distribution_version is version('20.04', '==')
+
   - name: Set Ubuntu firewall packages
+    when: ansible_distribution_version is version('20.04', '<')
     set_fact:
       ubuntu_firewall_packages:
         - firewalld
@@ -9,47 +16,57 @@
         - fail2ban
         - python3-systemd # for fail2ban systemd backend
 
-  - name: Install firewalld and deps
+  - name: Set Ubuntu firewall packages
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('20.04', '>=')
-    apt: pkg={{ ubuntu_firewall_packages }} state=present
+    set_fact:
+      ubuntu_firewall_packages:
+        - fail2ban
+        - libnet-ip-perl # for aggregate-cidr-addresses.pl
+        - nftables
+        - python3-systemd
+
+  - name: Install firewall packages
+    apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
 
   - name: Remove ufw
     when: ansible_distribution_version is version('16.04', '>=')
     apt: pkg=ufw state=absent
 
-  # I'm not sure why, but you can use firewalld with the nftables backend even
+  - name: Start and enable nftables
-  # if nftables itself is not installed. In that case the only way to see the
+    when: ansible_distribution_version is version('20.04', '>=')
-  # currently active rules is with firewall-cmd. I prefer installing nftables
+    systemd: name=nftables state=started enabled=yes
-  # so that we can have somewhat of a parallel with iptables:
-  #
-  #   nft list ruleset
-  #
-  # See: https://firewalld.org/2018/07/nftables-backend
-  - name: Install nftables
-    when: ansible_distribution_version is version('20.04', '==')
-    apt: pkg=nftables state=present
 
-  - name: Use nftables backend in firewalld
+  - name: Copy nftables.conf
-    when: ansible_distribution_version is version('20.04', '==')
+    when: ansible_distribution_version is version('20.04', '>=')
-    lineinfile:
+    template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
-      dest: /etc/firewalld/firewalld.conf
-      regexp: '^FirewallBackend=iptables$'
-      line: 'FirewallBackend=nftables'
     notify:
-      - restart firewalld
+      - reload nftables
+
+  - name: Create /etc/nftables extra config directory
+    when: ansible_distribution_version is version('20.04', '>=')
+    file: path=/etc/nftables state=directory owner=root mode=0755
+
+  - name: Copy extra nftables configuration files
+    when: ansible_distribution_version is version('20.04', '>=')
+    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
+    loop:
+      - spamhaus-ipv4.nft
+      - spamhaus-ipv6.nft
+    notify:
+      - reload nftables
 
   - name: Copy firewalld public zone file
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('18.04', '<=')
     template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
 
   - name: Format public.xml firewalld zone file
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('18.04', '<=')
     command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
     notify:
       - restart firewalld
 
-  - name: Copy ipsets of abusive IPs
+  - name: Copy firewalld ipsets of abusive IPs
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('18.04', '<=')
     copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
     loop:
       - abusers-ipv4.xml
@@ -59,30 +76,49 @@
     notify:
       - restart firewalld
 
-  - name: Copy Spamhaus update script
+  - name: Copy Spamhaus firewalld update script
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('18.04', '<=')
     copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
 
-  - name: Copy Spamhaus systemd units
+  - name: Copy Spamhaus firewalld systemd units
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('18.04', '<=')
     copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
     loop:
         - update-spamhaus-lists.service
         - update-spamhaus-lists.timer
-    register: spamhaus_systemd_units
+    register: spamhaus_firewalld_systemd_units
+
+  - name: Copy Spamhaus nftables update scripts
+    when: ansible_distribution_version is version('20.04', '>=')
+    copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
+    loop:
+      - update-spamhaus-nftables.sh
+      - aggregate-cidr-addresses.pl
+
+  - name: Copy Spamhaus nftables systemd units
+    when: ansible_distribution_version is version('20.04', '>=')
+    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    loop:
+        - update-spamhaus-nftables.service
+        - update-spamhaus-nftables.timer
+    register: spamhaus_nftables_systemd_units
 
   # need to reload to pick up service/timer/environment changes
   - name: Reload systemd daemon
     systemd: daemon_reload=yes
-    when: spamhaus_systemd_units is changed
+    when: spamhaus_firewalld_systemd_units is changed or
+          spamhaus_nftables_systemd_units is changed
 
-  - name: Start and enable Spamhaus update timer
+  - name: Start and enable Spamhaus firewalld update timer
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('18.04', '<=')
     systemd: name=update-spamhaus-lists.timer state=started enabled=yes
-
     notify:
       - restart firewalld
 
+  - name: Start and enable Spamhaus nftables update timer
+    when: ansible_distribution_version is version('20.04', '>=')
+    systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
+
   - include_tasks: fail2ban.yml
     when: ansible_distribution_version is version('16.04', '>=')
   tags: firewall

roles/common/tasks/firewall_Ubuntu_cleanup.yml

@@ -0,0 +1,40 @@
+---
+# Clean up previous firewalld configuration on Ubuntu 20.04, now that we are
+# migrating to a pure nftables configuration.
+
+- name: Stop and disable firewalld
+  systemd: name=nftables state=stopped enabled=no
+
+- name: Set Ubuntu firewall packages to remove
+  set_fact:
+    ubuntu_firewall_packages:
+      - firewalld
+      - tidy
+
+- name: Remove old firewall packages
+  apt: pkg={{ ubuntu_firewall_packages }} state=absent
+
+- name: Remove old firewalld zone and ipsets
+  file: dest={{ item }} state=absent
+  loop:
+    - /etc/firewalld/zones/public.xml
+    - /etc/firewalld/ipsets/abusers-ipv4.xml
+    - /etc/firewalld/ipsets/abusers-ipv6.xml
+    - /etc/firewalld/ipsets/spamhaus-ipv4.xml
+    - /etc/firewalld/ipsets/spamhaus-ipv6.xml
+
+- name: Stop and disable old Spamhaus firewalld systemd timer
+  systemd: name=update-spamhaus-lists.timer state=stopped enabled=no
+
+- name: Remove old Spamhaus firewalld update script and systemd units
+  file: dest=/usr/local/bin/update-spamhaus-lists.sh state=absent
+  loop:
+    - /usr/local/bin/update-spamhaus-lists.sh
+    - /etc/systemd/system/update-spamhaus-lists.service
+    - /etc/systemd/system/update-spamhaus-lists.timer
+
+# need to reload to pick up service/timer/environment changes
+- name: Reload systemd daemon
+  systemd: daemon_reload=yes
+
+# vim: set sw=2 ts=2:

roles/common/tasks/packages_Debian.yml

@@ -3,6 +3,7 @@
 - block:
   - name: Configure apt mirror
     template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
+    when: ansible_architecture != 'armv7l'
 
   - name: Set fact for base packages
     set_fact:

roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2

@@ -2,8 +2,13 @@
 enabled   = true
 # See: /etc/fail2ban/filter.d/sshd.conf
 filter    = sshd
+{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
+# Integrate with nftables
+banaction=nftables[type=allports]
+{% else %}
 # Integrate with firewalld and ipsets
 banaction = firewallcmd-ipset
+{% endif %}
 backend   = systemd
 maxretry  = {{ fail2ban_maxretry }}
 findtime  = {{ fail2ban_findtime }}

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -2,14 +2,14 @@
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
+{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
+{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/common/templates/nftables.conf.j2

@@ -0,0 +1,87 @@
+#!/usr/sbin/nft -f
+#
+# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
+#
+
+flush ruleset
+
+# Lists updated daily by update-spamhaus-nftables.sh
+include "/etc/nftables/spamhaus-ipv4.nft"
+include "/etc/nftables/spamhaus-ipv6.nft"
+
+# Notes:
+#   - tables hold chains, chains hold rules
+#   - inet is for both ipv4 and ipv6
+table inet filter {
+    set spamhaus-ipv4 {
+        type ipv4_addr
+        # if the set contains prefixes we need to use the interval flag
+        flags interval
+        elements = $SPAMHAUS_IPV4
+    }
+
+    set spamhaus-ipv6 {
+        type ipv6_addr
+        flags interval
+        elements = $SPAMHAUS_IPV6
+    }
+
+    chain input {
+        type filter hook input priority 0;
+
+        # Allow traffic from established and related packets.
+        ct state {established, related} accept
+
+        # Drop invalid packets.
+        ct state invalid counter drop
+
+        # Drop packets matching the spamhaus sets early.
+        ip saddr @spamhaus-ipv4 counter drop
+        ip6 saddr @spamhaus-ipv6 counter drop
+
+        # Allow loopback traffic.
+        iifname lo accept
+
+        # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        # to help prevent some types of flood attacks.
+        ip protocol icmp limit rate 4/second accept
+        ip6 nexthdr ipv6-icmp limit rate 4/second accept
+        ip protocol igmp limit rate 4/second accept
+
+        {# SSH rules #}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 22 counter accept
+
+        {# Web rules #}
+        {% if 'web' in group_names %}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
+        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 80 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 443 counter accept
+        {% endif %}
+
+        {# Extra rules #}
+        {% if extra_iptables_rules is defined %}
+        {% for rule in extra_iptables_rules %}
+        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+
+        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
+        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+        {% endif %}
+
+        {% endfor %}
+        {% endif %}
+
+        # everything else
+        reject with icmpx type port-unreachable
+    }
+    chain forward {
+        type filter hook forward priority 0;
+    }
+    chain output {
+        type filter hook output priority 0;
+        # Drop outgoing packets matching the spamhaus sets too
+        ip daddr @spamhaus-ipv4 counter drop
+        ip6 daddr @spamhaus-ipv6 counter drop
+    }
+}

roles/common/templates/sources.list.j2

@@ -9,7 +9,7 @@ deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-securi
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
 
-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
+deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
 
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
 

roles/common/templates/sshd_config_Debian-11.j2

@@ -0,0 +1,138 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin prohibit-password
+#StrictModes yes
+MaxAuthTries 4
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+ 
+# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
+# with less than 256 bits removed, as NSA's Suite B removed them years ago and
+# the new (2018) CNSA suite is 256 bits and up.
+#
+# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+
+# only allow shell access by provisioning user
+AllowUsers {{ provisioning_user.name }}