roles/common: use Ansible timezone module

No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.

Pipfile

@@ -10,4 +10,4 @@ ansible = "*"
 ansible-lint = "*"
 
 [requires]
-python_version = "3.12"
+python_version = "3.13"

Pipfile.lock

@@ -1,11 +1,11 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "1316dc54441ba799a74478d11d6112bcb3a8803455b60ec3488c60a8876b87c7"
+            "sha256": "47970866f4ffc7775e3a95dd04ee8b75f9784c457baadd8a31fe1783584fa73f"
         },
         "pipfile-spec": 6,
         "requires": {
-            "python_version": "3.12"
+            "python_version": "3.13"
         },
         "sources": [
             {
@@ -27,11 +27,11 @@
         },
         "ansible-compat": {
             "hashes": [
-                "sha256:0415bcd82f7d84e5b344c03439154c1f16576809dc3a523b81178354c86ae5a1",
-                "sha256:0ad873e0dae8b2de79bc33ced813d6c92c716c4d7b82f9a4693e1fd57f43776e"
+                "sha256:d8befd5c632c5ea0486f0537dea0fd0bb3340aabcc079025a373689150890b57",
+                "sha256:e6d696b0ffe098af2fae7c5b2085fe8fd92c9ed8cb938fe77c8c87af0f2da056"
             ],
-            "markers": "python_version >= '3.9'",
-            "version": "==24.10.0"
+            "markers": "python_version >= '3.10'",
+            "version": "==25.1.0"
         },
         "ansible-core": {
             "hashes": [
@@ -43,20 +43,20 @@
         },
         "ansible-lint": {
             "hashes": [
-                "sha256:ce7a783ce4f053a965e31f308cdb57554259052efea04b8491c9704f11095e54",
-                "sha256:f636309c4e7f724fc1a544df529c4c2354f54cf35ede11d750366afb1158a464"
+                "sha256:9553b2aee124999b2005140bf27619793910454fcf2381e25ceb5b21f7384eed",
+                "sha256:e4d657578a8354832a84a1d5a2b9225a78b9c5fefa8880506b7fa0347d6b5f7e"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.10'",
-            "version": "==24.12.2"
+            "version": "==25.1.0"
         },
         "attrs": {
             "hashes": [
-                "sha256:8f5c07333d543103541ba7be0e2ce16eeee8130cb0b3f9238ab904ce1e85baff",
-                "sha256:ac96cd038792094f438ad1f6ff80837353805ac950cd2aa0e0625ef19850c308"
+                "sha256:1c97078a80c814273a76b2a298a932eb681c87415c11dee0a6921de7f1b02c3e",
+                "sha256:c75a69e28a550a7e93789579c22aa26b0f5b83b75dc4e08fe092980051e1090a"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==24.3.0"
+            "version": "==25.1.0"
         },
         "black": {
             "hashes": [
@@ -210,19 +210,19 @@
         },
         "filelock": {
             "hashes": [
-                "sha256:2082e5703d51fbf98ea75855d9d5527e33d8ff23099bec374a134febee6946b0",
-                "sha256:c249fbfcd5db47e5e2d6d62198e565475ee65e4831e2561c8e313fa7eb961435"
+                "sha256:533dc2f7ba78dc2f0f531fc6c4940addf7b70a481e269a5a3b93be94ffbe8338",
+                "sha256:ee4e77401ef576ebb38cd7f13b9b28893194acc20a8e68e18730ba9c0e54660e"
             ],
-            "markers": "python_version >= '3.8'",
-            "version": "==3.16.1"
+            "markers": "python_version >= '3.9'",
+            "version": "==3.17.0"
         },
         "importlib-metadata": {
             "hashes": [
-                "sha256:45e54197d28b7a7f1559e60b95e7c567032b602131fbd588f1497f47880aa68b",
-                "sha256:71522656f0abace1d072b9e5481a48f07c138e00f079c38c8f883823f9c26bd7"
+                "sha256:02a89390c1e15fdfdc0d7c6b25cb3e62650d0494005c97d6f148bf5b9787525e",
+                "sha256:310b41d755445d74569f993ccfc22838295d9fe005425094fad953d7f15c8580"
             ],
-            "markers": "python_version >= '3.8'",
-            "version": "==8.5.0"
+            "markers": "python_version >= '3.9'",
+            "version": "==8.6.1"
         },
         "jinja2": {
             "hashes": [
@@ -440,11 +440,11 @@
         },
         "referencing": {
             "hashes": [
-                "sha256:25b42124a6c8b632a425174f24087783efb348a6f1e0008e63cd4466fedf703c",
-                "sha256:eda6d3234d62814d1c64e305c1331c9a3a6132da475ab6382eaa997b21ee75de"
+                "sha256:df2e89862cd09deabbdba16944cc3f10feb6b3e6f18e902f7cc25609a34775aa",
+                "sha256:e8699adbbf8b5c7de96d8ffa0eb5c158b3beafce084968e2ea8bb08c6794dcd0"
             ],
-            "markers": "python_version >= '3.8'",
-            "version": "==0.35.1"
+            "markers": "python_version >= '3.9'",
+            "version": "==0.36.2"
         },
         "resolvelib": {
             "hashes": [
@@ -572,11 +572,11 @@
         },
         "ruamel.yaml": {
             "hashes": [
-                "sha256:57b53ba33def16c4f3d807c0ccbc00f8a6081827e81ba2491691b76882d0c636",
-                "sha256:8b27e6a217e786c6fbe5634d8f3f11bc63e0f80f6a5890f28863d9c45aac311b"
+                "sha256:20c86ab29ac2153f80a428e1254a8adf686d3383df04490514ca3b79a362db58",
+                "sha256:30f22513ab2301b3d2b577adc121c6471f28734d3d9728581245f1e76468b4f1"
             ],
             "markers": "python_version >= '3.7'",
-            "version": "==0.18.6"
+            "version": "==0.18.10"
         },
         "ruamel.yaml.clib": {
             "hashes": [

host_vars/web22

@@ -1,138 +1,138 @@
 $ANSIBLE_VAULT;1.1;AES256
-39373066313030346161656231616436326166363937663239363666356462633536316336343663
-6630363832396134326536306235656137393433313335360a333535613834626562303036396637
-63663133643630313438383966383536333732636136613934396530646133303962373961343563
-3361343730306332650a333739353237363939353736643938393263623438626464613766313066
-36316133666133656637376432363837383061616630613061393731306361333138653561356236
-38383934663735656162656234613031386266663838346365363763653835316334343239633961
-31366633386166356434393637353565643739666537373433393830343236323336626664336666
-64346165653435333139613334616234383164346466346663616434303632663436336234653130
-39373264643465303335663132303231393036366266343335636230353930333164313833636537
-38393466623937313831373330373039343164336463356366343537666266393033363537313462
-32613831306366636134333332656135343038346263343735376165623330663865306138656162
-37393565386661643336323933653234356334633638333138643235366534363530356330316436
-34663331366665363831643064633437303031653135653137643366646530363336393762383230
-66643966366366623631333737313433373739396135383964383439306561343630646530313738
-65333431326238353031646635383931333732383564363532313936376563626237623434316436
-65636538383532623661326431306638353463363434333238613661656238343334613661613736
-39396139326534636562383138396666616433613665393061623637633233353566383061666531
-66323764643438656235316537626332313739333239396164636138633739316333616263366366
-35313839306263326533633638346630616362383761656534353839356536653436323139373362
-62653134633639663730306163323633656462316164616464626363343462316538373135333965
-38333365303662633366663933313235666563373934663234373630653834396234306638393364
-32623965396134356535343337616461663633653034653830633032343031383034613136633863
-33316636643731313634663264336533663238663337643337663061313231303930353961623263
-61643638363338616366313539393066666365323162326335656464303232336337326366346639
-37313831316633343535373638316335336561346235616663376338653634336633383666373332
-31313166363664343830323830633666336632663333643064346332336431393236353833366233
-64313435306464376237643062356437666461316463343562326163616434333436343031323163
-61666430663062333839646532393761366531343430616338363532356164313937336463333033
-64326630303632386634346465366630633935323836386364623031633336366661623037663465
-35663039376530343038366361373064346537613538616136613439303538636431396464633633
-33306362616533333833613239373632646266643432383663626166653432616666353761363835
-62643734393965393939373366313936313264666439363763643930383735623564396233323638
-64396235353033383730653164396531316266643938373238393737393338626336313063346335
-63653232383566646430343039616365363833326639373230613030306366303065383165383962
-33633666313765636638306235386661316537393764333235326565363739643566626231383836
-61366462346162633736316433313161316430653466333731396535376632626431663539396231
-35306361316461306134303136373336636437656663356665643233353865356366396266623335
-35303061303261323531336131346237623963646432616234313066316137613237326164383465
-34333931323733653737363532366264623038653866303934353065613865366332356434333233
-66393532313662316633313832373737653663656466323764353965306630303532386262633266
-63653039643365636436356366343637643237373639373335653962386663663264653861393831
-65613031326465363832333564306634613733313965323731653937353563386536616537353236
-32333038393961623238343437633036346539336134376235353834333735376538383539393535
-62373266303462303338663730303339663230633931663935393165363336326333666665656564
-39666136633830626133316232353537393934393465356430303563366165386635373634636234
-64316238623365373736393937613533666233343866313234643861333033393739326164333139
-62316130616663666337353039356533636537663536646165333836356638623266356161656462
-36623062636330643966333531613234616531326438323135383961633131303763306130303139
-61663137613731353232616336353938646335333165316133633738343563353862306135316534
-64313931663036333934356664626663636566393264666564353037303236366334653365333433
-31333961623237336162626666383831346565313566323362653064306632306239643331323662
-38326539393739343062646464633633663935366434353735636535336135303936613937343234
-66616531336161396239636531646565323166306137366462346662303832393031666365306539
-38386262326435636661336366636264636139333533393736313263643833313431613364636566
-36383731656664623338386339376435623662633333303532386531376365663732623831356366
-65353534633132336137656362396437633332363361663666323935316435356238306462653964
-38633731303665353230663237343664623234663161633366393163623339356466636233343263
-31616330613565336336343438323836363134343433373537626261336362656566613766396234
-34613865613533306264356233663866616166616465663434643465393161336539353765393664
-31396231313139373837646562636262633733353963613138613231373438363265386561383364
-64383931663338363762353334323631313636393539623436383536636166353733333437653465
-35383931326233373730346434323364616538646463316264333761653864306538383362663835
-64643833616135363037613835633565313566346233623061643566376633303366316635303262
-35656334656533333932376264663537313466386336316237643737353863653233636235333762
-63376163386665666434616565316338353834303935363532303433653337623062306233336130
-66623735663463393764396537353265313136373739623334346232353338343134653539643162
-32646431316137636537393339373266383136353730303630643330653364316461363532616362
-34656239346537373664633439393137316163623264356462396333626564643031633038306633
-37366135323763616230643537323830383434633838303865393664396233373032366461303433
-33656634333864366139376534623763346630303337373431363338616261666637326264373662
-62346164346234643965623936353037623433653463386163623235316566653134613233366137
-38316163326537363130353630656532313630396339316536323464336435636133663133363863
-32353236636662346338616563323466393663323963623662353433343331356363333964303435
-64343430623331633962613231383039373130303935333935646130313238306333613564653864
-62353634623166343761656533373265616539636362346462626563613939643065383664346537
-39373962333065656637313035613262316161323762353436373965323431326364613537356163
-33373537663062366261383434333838336161373635303136616635323861386338346530343430
-35363139313434633162376266326538393861336530333036366633323536373339373838326131
-31323436663530656339313964373331626132626461336666636530313330643533306334613161
-65363365353465346434376365353336333538356631393662646534336166353439393837663838
-32616530323663376138323132326364353434613665646133363730636165386164633532303435
-34366363333739653833373834313236623439323265343232326133386332356363663063393339
-63333661363133386138306463383363666263306464393533633236303536613661323137333733
-32353362373164326635323661383035343531386263666262653266363131373335626535323263
-38303334643161313262336365393963356133616364626561373735303365323638643130303332
-38653165366134393062313366396564653735393439353237646564373362383665393731326139
-30303265346164653863633838663434663635616332363163646235396633633138303061353530
-32326133373064646165343865306464663564646237633030616131306134623866663731393763
-61333630346431656163356231643062366530333462663638373037623165383962306531306333
-36313462646138336565326561663765656636633833393133363262666337616535633165333439
-38393634336239303338623235323761663265313332616135623963613933636636633964646461
-30363936373561663832393832646230326533333438656534366136656365616335336632653339
-33313466336135326135323366343262376435376237373038363061636361653737373361316263
-62366665616135333937666164346366316462643939393065646462636132623164613433333336
-61313234623631326233366532323733303839326434636633303037666630336463663535613434
-36396132393566326635323736366336333365343132626338633336396662313562323461303832
-39376431613764633066663233393035333333626634346333306462316639393464666666333432
-66396133613930313639663832333831333363353436613137373739653761356132663765646137
-66666365613938363564646535353731313431306637343331303730353433623039383633323536
-31363332623165346132663165316139393830353566666236373132353762356131373364336261
-66643666306133636633646135313263633233306337366566626131383862303461373563386231
-37313535363339373730343163336162343563366562326465306466336464366133336537353266
-37623636376435363363363538396165656561356266346334333163333433373530616430303866
-61613034356139356539653165616630393963623030653333623130363464376361623263623339
-32363961383566366131323135666163643638613239313934326364303165336365626663353962
-64396461633230313761616566663931663638366238646466383562363331663532666432386233
-34613661353231633832343638323565356662366630313537363964646164363238366431343266
-33616532633631393164656538353838313636393566373934393430333263333939363531636437
-32323332626237393035303461653761343631346534653130643361373836613966326332343337
-36656237363134613137373865396530383130363031383836366536643761643033373635383063
-34363837663065393161336334366439383636376566613331353530313434623061313764313739
-62356531353533323637313030663032313163336661356137356136313366633064616531343437
-30666562336230386636656432346435363138656465383031386536343532343331383539303238
-30613938343864393637633562383461346537326335386331326662633532653436393535386635
-34653430633535396263366536626330656366663565316230313633666433376161323665353766
-39343239323066346136623336396362383664373839313131303263393265373736353237323433
-62616634616163363638333063373462623061303561616531363331633566663334653239386466
-61373465616431323535343037396337666631383362323431663264383965373761383261356164
-31623263646263313061313934343430383331643638396262336235623032343835323430396537
-35353862313937393664653533386436393833656166613963643436643430623330383565373036
-33303731376430376234646233646465363663316139373838623637646138313437653039303239
-30313562636466323162663338343763303964313062396662633935626132656464313336303864
-35666466643265353130636231373430333366643532653466343065663762663662646461323235
-62336338326565653630383261316537373462336135336265643737626366633664393861663834
-32663637326266336437343330646265346162653035653563376137626430306263333132343131
-32623831336334386330656234656439316238626531396462393435396430393564376230326666
-32643034653464343835613738633564646635653536383030316531646532323062623336623737
-36373139363561373038643239646231393032323561316463323330356535393533613734643563
-62663431306330383534663836623135313239616261613162316461666432653935313631386132
-31623039356438633964323436633334656230636337306261616631373265633837383834666432
-65306238623235396464366363633739323861396133323235656234323361396566346565623066
-66373463373737363037323834613833613737353964313131326436326333653934306535343538
-34353939356164623736303366366138396163643437623761643134323762656337616633646161
-62303039386162363966653161323438363866303663616537353961343566616333626563663166
-32386438393363393635303163613239363764343462643038343663396632323138646333373461
-32393066346633633064376136313834386361383335616666626131386565373666386432626334
-6534
+30323862646334626231363530353238333165653862356463386233326433393265643132353262
+3561386632316261383561323831343334363532643566380a333961383133383838343333323937
+39303866616132383334663732393663386236393732386238376464373964373865653538353633
+3863356261663430360a303131373063656136616166363065326563363462656634356666373661
+61663734303833306231393766633338316634383339356436666465313966643635623732643432
+34393633393736353261316232393761613931313537356166646634626137353863353930366130
+63323662653933383537643861623035326166306235343937393764316635613339663132633039
+66643163653739333665396263333332313863616136613132393462346136666163663039333963
+61396562633964653063333338643531373264323739353738346639623433323162356633353538
+38633964363466303433663731303261656166626432366231373464353138383465616539623665
+35666462653864346334316163656232363166303630333238613161646131316338663336323134
+31363139306432653030613661623133626533653261376366633030643734633635396335323332
+66363433613165333761323335333964326431616631343035633062643731616366623532643261
+61376562323863353636643439666133643662336132663938653532323965613163346233356438
+30613639616265633131656436323830353031653265323836303561306561363236613262363532
+61666631663632353162336536323930353637643031353764633438613436393838363533663565
+61386631343965626464623934363865303364363532303937383762393831373265306664626362
+32306365643664363537623065643031666333363564303531613662653734336438343933613361
+61336163646565303339336235366361653665616233396364373565666536313034343661393766
+65313137663832356166626438643638653138303166393633373565633065393639363631316364
+33623764613431646335326338386130626132643233333165323635346638613133383434383134
+66363362363835376336616365376336383138643538666365383831653366393632336264643536
+30346332336163306563303964393463306436643261326232653739313731656537326362386233
+34306433396262633266646562313361666263353831393230393832313135303331393032656564
+66313832643539653865663332613166383334303430376530343962656331633537633131646535
+31666137353461643363353834306662643735303466626366396164393139663739666430386139
+32316566626264663236633336303437626136333535316231633430656663623661306266613566
+39383730636262333439376634313137333331303332633164636533333537366664626165393730
+65366636366464653064666436343334363762303032393233656638356432356664313235353038
+65613730323938393763653735353732643363663637633234343465393264313865373536313031
+63666263326339623662323464346231383535333736333338336562396361633439343964616234
+33373837646262333639393164366336666662343362336330373532306638353464363931303961
+62363730333739346562333333376164663235316262363666396631323430303835636434313036
+30376333383036373639343461666436643632653030623264393163643433333162626439393861
+66333037363738343932323666393061653236376338643762393933366430323036636438333962
+38396432366566343038303533353936363934313866646665313764336433656361363137613233
+37393737663465336638623439373262313366623638336239373961356262653735643935613238
+32343331316630646366306132663337373162363937323535323737313035326233303332316134
+61313838346636353437666630653030316563626134626433306364313765613832343434663335
+33336139303265336461396632633835366538663462393536383361656566393737383961653131
+65393833313737383439356464653638393566646238636539393963313031373435663839613736
+37346434336630366632306230393565363662353263643833613338623064646265313464346435
+34663935353662393734313830316665663432303734313037373963363231636335313130363039
+66383230633538323663333632633334636430393830666638373839633830393865363234626161
+62366564386234623731643930656531353238633237666438623961656661613736333231656165
+33336263386466393064633664613437336631313961633362613864366637376132363131393536
+37373632326237623531636330666237363736643339396132333464643162373636346232366132
+38303833623537393136643131323938623038353030626136373265303762373036653765656462
+33636334623361313136633964346431666261616364643435323131643562333438626133646139
+38373633393732333761633463646561613634313363623235323330323233386265393639383261
+64343465373666306537383431353834386238633134366131376465363231366265383432383338
+33366635363964336663623235316635353961393166313333343432363962636465356639643130
+38336363626666613763336639346534373634323661656366393163653630323131313564643530
+66643235313364376133323832313838363537353738313430396466343535663632396237313862
+35313030376632333034323765316435636331303635386631343534373634376135643664393134
+34366162303432323038376261346231313632356630633937333635343635663964613362343232
+65643533643565383762656636623064346165323231313663636363323365303037636635326134
+34663737316335373166343266303633663565616234613530613430323238303830663538353663
+65663261653633346637656564643937323864393664633830356437353631656233306461306436
+34313765313266336536626630383332343063303738316238626137376435656630663331663839
+39393364613735313033633664616562636530366630306530386432356431663537643864363364
+38633237646564306231653334633032393464653637316139356339316666343436633337613733
+63346465316365366138306562336666333939663335623837326430363736396638333631376535
+30663735306134653064633133326264336638313161623034356165656435626135393739633339
+66623536373632323461343435636539313737313831366433393335396634396539663362356165
+39653330663163323330616165346438393435366362353336316537613036323639613439623361
+63343837303861613733353132373632313330333133316638303064316362316233366439316661
+33326131656539393964643939353161626566666632306133393531313630356262646136613135
+65336238386432336439306366636463373766646263613463373464663762396331303461326432
+65666263373639626635623562343538636434663936666330333638333362333138376230333433
+30666638343766656462366432373632306335393239663337646233653438393362663737613566
+39626239643134623035336634316463313935646262663139643963636335663833386266616465
+35306133383438633134356164633935663439336364373633326336346431353330373137626233
+65663063373839333234663032666263633261346562373561633731343665333364303164306232
+35333434343861666465623834653630396663363435336533336435613037623266623262343265
+36313937363334363365613435633962613764366531626632613735306336613930633134383632
+34366435313862373333396136363764643761646635663064336430636363316234613133643261
+36353136343438646437613064333631626435613465356332346265363030323331343766366363
+66656137346261343131653565356333326336363731393838613536333133643863363033383433
+36663539366238333166303132633939313638656536653230626565646238666433373836353035
+35613638393366373763643266626139316561313561353039613464353962353031643533646238
+38303735663536623230383237653766323935343338393965306237363466653933393536303861
+63366564373461366163373934323063366135633266373364396130376230383136666234616533
+64343032336663646535333265616361656135326238666166353266393833366162333235363432
+33373836373338323934626161613536363162363862396563643864613035643231383936616231
+32386339633436613231663765663366626236656261643033313237386135666138343561663566
+38303163313565313462636363303337653061316335393038643161616539336235363736396435
+34356530633739346661306662376236353336613932323331326164623432393231333863323362
+64623264316161313938666635373235653139663561316462323238333534363332666431626239
+32386630353832303830366331616462656432393362666633383233666439663730316532323765
+61623832366161666166633334623462666531303865313065396638646434396231363739366338
+33616433613866376265333564336266626337616233636265386438313362366439336633306434
+66363063376166663039366334666238333932386434653631313336366564366636363964366538
+35346362353138613961313936306438326632656566613966663138613233356364383837373235
+32313439636136313130313136333865653336383866626231636630316365313838636330376263
+32623931313431373137343463626432393834353462333661656564333238646334323761333663
+34653037366639393363383866626363663838643132663266346335656431303237653832663161
+39653633626139343130393735393539393864356336636163363231633332303232323165646466
+31383831333963393866343937643635376135303835353730656436333432373266303830613661
+35636134333561626133333335323131373031616636373439393337316338656331316564303039
+37343265393030633931346131313730303463383165303933323038363062343030363637646261
+64366661663064643761666539623632333036393631656634333062313535663864376361333639
+39323136656461323163663161643863626336306334343230326236343539633462363533343863
+63313331393838343934643734373937366537626138336439653364346630323530323264336233
+61643637393166316633323139326535366337623666386631316532333735363664353730376462
+34333538323236643063623661333537393837373761636562323661366432373137393732363034
+37323237633563353162653330666162613232376363623238383463376461313662346261323934
+36623163393330303037626566373239643164626634383162646562313533343836653461303238
+62356363666439306438373766633335376362636533333063656335333539343963356631616131
+39303362383532386339663938313534353635633438626437343166376662343731316539316334
+31666133623638376163396161623636373363303436353064336136366634613437396232643836
+35303939316135646361393136366430626435613830656264393832316566303563366163313038
+30613636343062393938373765313063363437383238346132396261376135366531336561303836
+66303034646266383332316161613635366338313835363764376564323530376466633263396161
+32373061303062393564636264616234383336373839616330306531363638356362666664306137
+30393737653061643932346561306239303335646533353432383734626566333331363763313934
+30646465363332306439383635376635343831336435313663343066313963616532366632363832
+64663662363236333035313865393638623534646336326433323034356637643965336430316337
+64383566333663346334373461356138663066623864643430346538343964653838383066313039
+39336164333139646264363366303362353135623633616134636633383865623336386163336230
+37306136663032313430323765393631613036383634383735343837353735333931353666623862
+63306336383137353165343031313361613932323065623930626161373062303864333931623361
+33366330306264636163373236636338353139363438353466326430373635616332336365346562
+65356163366266663636623935343330366161353562633234303661633663343361643764313264
+38666265316138613761353732386230353661643834646364326139373063646362366465333236
+33643765663730646332616463383931363738656636313932666163623733343363393736646562
+63393134613465396134333836656333383763353031383633636336656164316533343735663664
+34363465353832386632323036643935366662636631616261336637336361663864313432363564
+66656633353061613137393861663930366532343730353230626530656430346562383964393964
+63636166396337346636666630363537363332313663346135386138616135356135613131393130
+39383036646563386562326461333037643162396537396637336537623035613734336539326137
+66336130633732383439346262313732336139376633383266633834663130373138363064316564
+33393831333736653236356537623134396532336463336232393463396361363439323731393266
+38643539376531343266336330366263656266393337333139363761623163316238643466356339
+32333837346166333332633738376563303132626130376361383530363165613266373039336332
+63376137343966333264336135333636643231643464633836636433363831393066373466643338
+6335

roles/common/files/abuseipdb-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define ABUSEIPDB_IPV6 = {
-fd21:3523:74e0:7301::
-}

roles/common/files/aggregate-cidr-addresses.pl

@@ -1,89 +0,0 @@
-#!/usr/bin/perl
-#
-# aggregate-cidr-addresses - combine a list of CIDR address blocks
-# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see L<http://www.gnu.org/licenses/>.
-#
-# [MJS 22 Oct 2001] Aggregate CIDR addresses
-# [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
-# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
-# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
-# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
-
-use strict;
-use warnings;
-use English qw( -no_match_vars );
-use Net::IP;
-
-## Read in all the IP addresses
-my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
-    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
-
-## Split any ranges into prefixes
-@addrs = map {
-    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
-        $_->find_prefixes
-} @addrs;
-
-## Sort the IP addresses
-@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
-
-## Handle overlaps
-my $count   = 0;
-my $current = $addrs[0];
-foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-    my $r = $current->overlaps($next);
-    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
-        $current = $next;
-        $count++;
-    }
-    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
-        $current = $next;
-        splice @addrs, $count, 1;
-    }
-    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
-        splice @addrs, $count + 1, 1;
-    }
-    else {
-        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
-    }
-}
-
-## Keep aggregating until we don't change anything
-my $change = 1;
-while ($change) {
-    $change = 0;
-    my @new_addrs = ();
-    $current = $addrs[0];
-    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-        if ( my $total = $current->aggregate($next) ) {
-            $current = $total;
-            $change  = 1;
-        }
-        else {
-            push @new_addrs, $current;
-            $current = $next;
-        }
-    }
-    push @new_addrs, $current;
-    @addrs = @new_addrs;
-}
-
-## Print out the IP addresses
-foreach (@addrs) {
-    print $_->prefix(), "\n";
-}
-
-# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

roles/common/files/firehol_level1-ipv4.nft

@@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
 
-define SPAMHAUS_IPV4 = {
+define FIREHOL_LEVEL1_IPV4 = {
 192.168.254.254/32
 }

roles/common/files/spamhaus-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-fd21:3523:74e0:7301::/64
-}

roles/common/files/update-abusech-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-abusech-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-abusech-nftables
-ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
-          /usr/local/bin/update-abusech-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-abusech-nftables.sh

@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-abuseipdb-nftables.sh v0.0.1
-#
-# Download IP addresses seen using a blacklisted SSL certificate and load them
-# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
-# 
-# See: https://sslbl.abuse.ch/blacklist
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
-abusech_list_temp=$(mktemp)
-
-echo "Downloading Abuse.sh SSL Blacklist IPs"
-
-abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
-
-if [[ $abusech_response -ne 200 ]]; then
-	echo "Abuse.ch responded: HTTP $abusech_response"
-
-	exit 1
-fi
-
-if [[ -f "$abusech_list_temp" ]]; then
-    echo "Processing IPv4 list"
-
-    abusech_ipv4_list_temp=$(mktemp)
-    abusech_ipv4_set_temp=$(mktemp)
-
-    # Remove comments, DOS carriage returns, and IPv6 addresses (even though
-    # Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
-    # that assumption some time down the line).
-    sed -e '/#/d' -e 's/
-//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
-
-    echo "Building abusech-ipv4 set"
-    cat << NFT_HEAD > "$abusech_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define ABUSECH_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$abusech_ipv4_set_temp"
-    done < $abusech_ipv4_list_temp
-
-    echo "}" >> "$abusech_ipv4_set_temp"
-
-    install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
-
-    rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
-fi
-
-echo "Reloading nftables"
-# The abusech nftables sets are included by nftables.conf

roles/common/files/update-abusech-nftables.timer

@@ -1,12 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-
-[Timer]
-# Once a day at midnight
-OnCalendar=*-*-* 00:00:00
-# Add a random delay of 0–3600 seconds
-RandomizedDelaySec=3600
-Persistent=true
-
-[Install]
-WantedBy=timers.target

roles/common/files/update-firehol-nftables.service

@@ -1,11 +1,11 @@
 [Unit]
-Description=Update Spamhaus lists
+Description=Update FireHOL lists
 # This service will fail if nftables is not running so we use Requires to make
 # sure that nftables is started.
 Requires=nftables.service
 # Make sure the network is up and nftables is started
 After=network-online.target nftables.service
-Wants=network-online.target update-spamhaus-nftables.timer
+Wants=network-online.target update-firehol-nftables.timer
 
 [Service]
 # https://www.ctrl.blog/entry/systemd-service-hardening.html
@@ -19,9 +19,9 @@ ReadWriteDirectories=/etc/nftables
 PrivateTmp=true
 WorkingDirectory=/var/tmp
 
-SyslogIdentifier=update-spamhaus-nftables
-ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
-          /usr/local/bin/update-spamhaus-nftables.sh
+SyslogIdentifier=update-firehol-nftables
+ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
+          /usr/local/bin/update-firehol-nftables.sh
 
 [Install]
 WantedBy=multi-user.target

roles/common/files/update-firehol-nftables.timer

@@ -1,5 +1,5 @@
 [Unit]
-Description=Update Spamhaus lists
+Description=Update FireHOL lists
 
 [Timer]
 # Once a day at midnight

roles/common/files/update-spamhaus-nftables.sh

@@ -1,91 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-spamhaus-nftables.sh v0.0.1
-#
-# Download Spamhaus DROP lists and load them into nftables sets.
-# 
-# See: https://www.spamhaus.org/drop/
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
-spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
-
-function download() {
-    echo "Downloading $1"
-    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
-}
-
-download drop.txt
-download edrop.txt
-download dropv6.txt
-
-if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
-    echo "Processing IPv4 DROP lists"
-
-    spamhaus_ipv4_list_temp=$(mktemp)
-    spamhaus_ipv4_set_temp=$(mktemp)
-
-    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
-    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
-    # ranges to work around a firewalld bug.
-    #
-    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
-    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
-
-    echo "Building spamhaus-ipv4 set"
-    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$spamhaus_ipv4_set_temp"
-    done < $spamhaus_ipv4_list_temp
-
-    echo "}" >> "$spamhaus_ipv4_set_temp"
-
-    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
-
-    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
-fi
-
-if [[ -f "dropv6.txt" ]]; then
-    echo "Processing IPv6 DROP lists"
-
-    spamhaus_ipv6_list_temp=$(mktemp)
-    spamhaus_ipv6_set_temp=$(mktemp)
-
-    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
-
-    echo "Building spamhaus-ipv6 set"
-    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-NFT_HEAD
-
-    while read -r network; do
-        echo "$network," >> "$spamhaus_ipv6_set_temp"
-    done < $spamhaus_ipv6_list_temp
-
-    echo "}" >> "$spamhaus_ipv6_set_temp"
-
-    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
-
-    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
-fi
-
-echo "Reloading nftables"
-# The spamhaus nftables sets are included by nftables.conf
-/usr/sbin/nft -f /etc/nftables.conf
-
-rm -v drop.txt edrop.txt dropv6.txt

roles/common/tasks/firewall.yml

@@ -0,0 +1,20 @@
+---
+- name: Configure firewall (Debian)
+  when: ansible_distribution == 'Debian'
+  ansible.builtin.include_tasks:
+    file: firewall_Debian.yml
+    apply:
+      tags:
+        - firewall
+  tags: firewall
+
+- name: Configure firewall (Ubuntu)
+  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.include_tasks:
+    file: firewall_Ubuntu.yml
+    apply:
+      tags:
+        - firewall
+  tags: firewall
+
+

roles/common/tasks/firewall_Debian.yml

@@ -1,115 +1,28 @@
 ---
 # Debian 11+ will use nftables directly, with no firewalld.
 
-- block:
-    - name: Install Debian firewall packages
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.package:
-        name:
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - nftables
-          - curl # for nftables update scripts
-        state: present
-        cache_valid_time: 3600
+- name: Install Debian firewall packages
+  when: ansible_distribution_major_version is version('11', '>=')
+  ansible.builtin.package:
+    name:
+      - libnet-ip-perl # for aggregate-cidr-addresses.pl
+      - nftables
+      - curl # for nftables update scripts
+    state: present
+    cache_valid_time: 3600
 
-    - name: Remove iptables on newer Debian
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.apt:
-        pkg: iptables
-        state: absent
+- name: Remove iptables on newer Debian
+  when: ansible_distribution_major_version is version('11', '>=')
+  ansible.builtin.apt:
+    pkg: iptables
+    state: absent
 
-    - name: Copy nftables.conf
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.template:
-        src: nftables.conf.j2
-        dest: /etc/nftables.conf
-        owner: root
-        mode: "0644"
-      notify:
-        - restart nftables
-        - restart fail2ban
+- name: Configure nftables
+  ansible.builtin.include_tasks: nftables.yml
+  when: ansible_distribution_version is version('11', '>=')
 
-    - name: Create /etc/nftables extra config directory
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.file:
-        path: /etc/nftables
-        state: directory
-        owner: root
-        mode: "0755"
-
-    - name: Copy extra nftables configuration files
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
-        owner: root
-        group: root
-        mode: "0644"
-        force: "{{ item.force }}"
-      loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Copy nftables update scripts
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
-        mode: "0755"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
-
-    - name: Copy nftables systemd units
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-      register: nftables_systemd_units
-
-    # need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-      when: nftables_systemd_units is changed
-
-    - name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: started
-        enabled: true
-      loop:
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
-
-    - name: Start and enable nftables
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.systemd:
-        name: nftables
-        state: started
-        enabled: true
-
-    - ansible.builtin.include_tasks: fail2ban.yml
-      when:
-        - ansible_distribution_major_version is version('9', '>=')
-  tags: firewall
+- ansible.builtin.include_tasks: fail2ban.yml
+  when:
+    - ansible_distribution_major_version is version('9', '>=')
 
 # vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,114 +1,27 @@
 ---
 # Ubuntu 20.04 will use nftables directly, with no firewalld.
 
-- block:
-    - name: Install Ubuntu firewall packages
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.package:
-        name:
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - nftables
-          - curl # for nftables update scripts
-        state: present
-        cache_valid_time: 3600
+- name: Install Ubuntu firewall packages
+  when: ansible_distribution_version is version('20.04', '>=')
+  ansible.builtin.package:
+    name:
+      - libnet-ip-perl # for aggregate-cidr-addresses.pl
+      - nftables
+      - curl # for nftables update scripts
+    state: present
+    cache_valid_time: 3600
 
-    - name: Remove ufw
-      ansible.builtin.package:
-        name: ufw
-        state: absent
+- name: Remove ufw
+  ansible.builtin.package:
+    name: ufw
+    state: absent
 
-    - name: Copy nftables.conf
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.template:
-        src: nftables.conf.j2
-        dest: /etc/nftables.conf
-        owner: root
-        mode: "0644"
-      notify:
-        - restart nftables
-        - restart fail2ban
+- name: Configure nftables
+  ansible.builtin.include_tasks: nftables.yml
+  when: ansible_distribution_version is version('20.04', '>=')
 
-    - name: Create /etc/nftables extra config directory
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.file:
-        path: /etc/nftables
-        state: directory
-        owner: root
-        mode: "0755"
-
-    - name: Copy extra nftables configuration files
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
-        owner: root
-        group: root
-        mode: "0644"
-        force: "{{ item.force }}"
-      loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Copy nftables update scripts
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
-        mode: "0755"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
-
-    - name: Copy nftables systemd units
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-      register: nftables_systemd_units
-
-    # need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-      when: nftables_systemd_units is changed
-
-    - name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: started
-        enabled: true
-      loop:
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
-
-    - name: Start and enable nftables
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
-        name: nftables
-        state: started
-        enabled: true
-
-    - ansible.builtin.include_tasks: fail2ban.yml
-      when:
-        - ansible_distribution_version is version('16.04', '>=')
-  tags: firewall
+- ansible.builtin.include_tasks: fail2ban.yml
+  when:
+    - ansible_distribution_version is version('16.04', '>=')
 
 # vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -18,13 +18,7 @@
   tags: packages
 
 - name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: firewall
-
-- name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.import_tasks: firewall.yml
   tags: firewall
 
 - name: Configure secure shell daemon

roles/common/tasks/nftables.yml

@@ -0,0 +1,97 @@
+---
+# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,
+# and Debian 12.
+
+- name: Copy nftables.conf
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    mode: "0644"
+  notify:
+    - restart nftables
+    - restart fail2ban
+
+- name: Create /etc/nftables extra config directory
+  ansible.builtin.file:
+    path: /etc/nftables
+    state: directory
+    owner: root
+    mode: "0755"
+
+- name: Copy extra nftables configuration files
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: /etc/nftables/{{ item.src }}
+    owner: root
+    group: root
+    mode: "0644"
+    force: "{{ item.force }}"
+  loop:
+    - { src: firehol_level1-ipv4.nft, force: false }
+  notify:
+    - restart nftables
+    - restart fail2ban
+
+- name: Copy nftables update scripts
+  ansible.builtin.template:
+    src: update-firehol-nftables.sh.j2
+    dest: /usr/local/bin/update-firehol-nftables.sh
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: Remove deprecated data and scripts
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/nftables/spamhaus-ipv4.nft
+    - /etc/nftables/spamhaus-ipv6.nft
+    - /etc/nftables/abuseipdb-ipv4.nft
+    - /etc/nftables/abuseipdb-ipv6.nft
+    - /etc/nftables/abusech-ipv4.nft
+    - /usr/local/bin/update-abusech-nftables.sh
+    - /usr/local/bin/update-spamhaus-nftables.sh
+    - /etc/systemd/system/update-abusech-nftables.service
+    - /etc/systemd/system/update-abusech-nftables.timer
+    - /etc/systemd/system/update-spamhaus-nftables.service
+    - /etc/systemd/system/update-spamhaus-nftables.timer
+    - /usr/local/bin/aggregate-cidr-addresses.pl
+  notify:
+    - restart nftables
+    - restart fail2ban
+
+- name: Copy nftables systemd units
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/systemd/system/{{ item }}
+    mode: "0644"
+    owner: root
+    group: root
+  loop:
+    - update-firehol-nftables.service
+    - update-firehol-nftables.timer
+  register: nftables_systemd_units
+
+# need to reload to pick up service/timer/environment changes
+- name: Reload systemd daemon
+  ansible.builtin.systemd: # noqa no-handler
+    daemon_reload: true
+  when: nftables_systemd_units is changed
+
+- name: Start and enable nftables update timers
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop:
+    - update-firehol-nftables.timer
+
+- name: Start and enable nftables
+  ansible.builtin.systemd:
+    name: nftables
+    state: started
+    enabled: true
+
+# vim: set sw=2 ts=2:

roles/common/tasks/ntp.yml

@@ -4,8 +4,11 @@
 # client.
 
 - name: Set timezone
-  when: timezone is defined and ansible_service_mgr == 'systemd'
-  command: /usr/bin/timedatectl set-timezone {{ timezone }}
+  when:
+    - timezone is defined
+    - ansible_service_mgr == 'systemd'
+  community.general.timezone:
+    name: "{{ timezone }}"
   tags: timezone
 
 # Apparently some cloud images don't have this installed by default. From what

roles/common/templates/nftables.conf.j2

@@ -5,47 +5,18 @@
 
 flush ruleset
 
-# Lists updated daily by update-spamhaus-nftables.sh
-include "/etc/nftables/spamhaus-ipv4.nft"
-include "/etc/nftables/spamhaus-ipv6.nft"
-
-# Lists updated monthly (manually)
-include "/etc/nftables/abuseipdb-ipv4.nft"
-include "/etc/nftables/abuseipdb-ipv6.nft"
-
-# Lists updated daily by update-abusech-nftables.sh
-include "/etc/nftables/abusech-ipv4.nft"
+# List updated daily by update-firehol-nftables.sh
+include "/etc/nftables/firehol_level1-ipv4.nft"
 
 # Notes:
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
 table inet filter {
-    set spamhaus-ipv4 {
+    set firehol_level1-ipv4 {
         type ipv4_addr
         # if the set contains prefixes we need to use the interval flag
         flags interval
-        elements = $SPAMHAUS_IPV4
-    }
-
-    set spamhaus-ipv6 {
-        type ipv6_addr
-        flags interval
-        elements = $SPAMHAUS_IPV6
-    }
-
-    set abusech-ipv4 {
-        type ipv4_addr
-        elements = $ABUSECH_IPV4
-    }
-
-    set abuseipdb-ipv4 {
-        type ipv4_addr
-        elements = $ABUSEIPDB_IPV4
-    }
-
-    set abuseipdb-ipv6 {
-        type ipv6_addr
-        elements = $ABUSEIPDB_IPV6
+        elements = $FIREHOL_LEVEL1_IPV4
     }
 
     chain input {
@@ -55,13 +26,7 @@ table inet filter {
 
         ct state invalid counter drop comment "Early drop of invalid connections"
 
-        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
-        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
-
-        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
-
-        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
-        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
+        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
 
         iifname lo accept comment "Allow from loopback"
 
@@ -105,12 +70,6 @@ table inet filter {
     chain output {
         type filter hook output priority 0;
 
-        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
-        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
-
-        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
-
-        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
-        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
+        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
     }
 }

roles/common/templates/update-firehol-nftables.sh.j2

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+#
+# update-firehol-nftables.sh v0.0.1
+#
+# Download FireHOL lists and load them into nftables sets.
+# 
+# See: https://iplists.firehol.org/
+#
+# Copyright (C) 2025 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
+
+function download() {
+    echo "Downloading $1"
+    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
+}
+
+download firehol_level1.netset
+
+if [[ -f "firehol_level1.netset" ]]; then
+    echo "Processing FireHOL Level 1 list"
+
+    firehol_level1_ipv4_list_temp=$(mktemp)
+    firehol_level1_ipv4_set_temp=$(mktemp)
+
+    # Filter blank lines and comments
+    cat firehol_level1.netset \
+        | sed \
+            -e '/^$/d' \
+            -e '/^#.*/d' \
+        > "$firehol_level1_ipv4_list_temp"
+
+    echo "Building firehol_level1-ipv4 set"
+    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define FIREHOL_LEVEL1_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$firehol_level1_ipv4_set_temp"
+    done < $firehol_level1_ipv4_list_temp
+
+    echo "}" >> "$firehol_level1_ipv4_set_temp"
+
+    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
+
+    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
+fi
+
+echo "Reloading nftables"
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<=') %}
+{%   set systemctl_bin = '/bin/systemctl' %}
+{% else %}
+{%   set systemctl_bin = '/usr/bin/systemctl' %}
+{% endif -%}
+
+{{ systemctl_bin }} reload nftables.service
+
+rm -v firehol_level1.netset