roles/common: bring Ubuntu firewall changes to Debian 11

Note that there is currently an issue loading the spamhaus rules on
Debian 11 when using ipsets with firewalld and the nftables backend.
The bug is apparently caused by overlapping CIDR segments, and the
solution appears to be that we need to manually aggregate them with
a tool like aggregate6 (Python).

See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8
See: https://github.com/job/aggregate6

roles/common/tasks/firewall_Debian.yml

@@ -14,7 +14,7 @@
     apt: pkg={{ debian_firewall_packages }} state=present
 
   - name: Use iptables backend in firewalld
-    when: ansible_distribution_major_version is version('10', '>=')
+    when: ansible_distribution_major_version is version('10', '==')
     lineinfile:
       dest: /etc/firewalld/firewalld.conf
       regexp: '^FirewallBackend=nftables$'
@@ -26,7 +26,7 @@
 # backend. Using individual calls seems to work around it.
 # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
   - name: Use individual iptables calls
-    when: ansible_distribution_major_version is version('10', '>=')
+    when: ansible_distribution_major_version is version('10', '==')
     lineinfile:
       dest: /etc/firewalld/firewalld.conf
       regexp: '^IndividualCalls=no$'
@@ -50,6 +50,31 @@
     loop:
       - abusers-ipv4.xml
       - abusers-ipv6.xml
+      - spamhaus-ipv4.xml
+      - spamhaus-ipv6.xml
+    notify:
+      - restart firewalld
+
+  - name: Copy Spamhaus update script
+    when: ansible_distribution_version is version('9', '>=')
+    copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
+
+  - name: Copy Spamhaus systemd units
+    when: ansible_distribution_version is version('9', '>=')
+    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    loop:
+        - update-spamhaus-lists.service
+        - update-spamhaus-lists.timer
+    register: spamhaus_systemd_units
+
+  # need to reload to pick up service/timer/environment changes
+  - name: Reload systemd daemon
+    systemd: daemon_reload=yes
+    when: spamhaus_systemd_units is changed
+
+  - name: Start and enable Spamhaus update timer
+    when: ansible_distribution_version is version('9', '>=')
+    systemd: name=update-spamhaus-lists.timer state=started enabled=yes
     notify:
       - restart firewalld
 

roles/common/tasks/packages_Debian.yml

@@ -3,6 +3,7 @@
 - block:
   - name: Configure apt mirror
     template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
+    when: ansible_architecture != 'armv7l'
 
   - name: Set fact for base packages
     set_fact:

roles/common/templates/sshd_config_Debian-11.j2

@@ -122,6 +122,17 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+ 
+# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
+# with less than 256 bits removed, as NSA's Suite B removed them years ago and
+# the new (2018) CNSA suite is 256 bits and up.
+#
+# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 
 # only allow shell access by provisioning user
 AllowUsers {{ provisioning_user.name }}