consider deploying kernel hardening features
we do have some minimal hardening stuff (like disabling module loading after boot and disabling user namespaces) but not much. let's see what we could improve to reduce the attack surface on our servers.
a good place to start would be this list:
https://git.autistici.org/ai3/float/-/blob/master/roles/float-base/templates/sysctl.conf.j2
... and talking to fellow sysadmins about what they do in production as well. this should obviously be distributed progressively. also note that our userns clone hack might be removed from debian, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024186