security: drop all CBC TLS suites (Qualys WEAK -> AEAD-only, still A+); sync ansible nginx templates (ciphers + ywxi CSP); capture host firewall as IaC

docs/vm-security-hardening.md

@@ -86,3 +86,15 @@ backups moved to `/etc/nginx/backups/` (NOT in an include path).
 - **Hosted in a SOC 2 Type II compliant data center**
 TODO: TrustedSite (ex-McAfee SECURE) free tier needs a signup to get the
 daily-scan trustmark image - add later if an image seal is wanted.
+
+### TLS cipher: removed all CBC suites (2026-06-06)
+Qualys flagged the two remaining CBC suites as WEAK:
+`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384` (0xc024) and
+`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256` (0xc023). CBC modes carry the historic
+padding-oracle risk; every modern client supports AEAD, so they were dropped.
+Final cipher list = AEAD only: GCM (AES-128/256) + CHACHA20-POLY1305 (TLS 1.2)
+plus TLS 1.3 suites. Verified: CBC no longer negotiates, GCM/TLS1.3 work, site
+200, **Qualys A+ with WEAK suites: NONE**. The cipher list + the cdn.ywxi.net CSP
+addition are now in the ansible templates (`infra/ansible/roles/nginx/templates/`)
+so they don't drift on the next ansible run. Firewall captured as IaC in
+`infra/firewall/`.