firewall: ensure wireguard egress traffic uses the anycast source IP

Before we relied on the IP being first in the interfaces file, which
is less than optimal. Now we use nftables to ensure the correct source
IP is set only for the (fwmarked) wireguard traffic.

Also remove iface hints from interfaces configuration as they are not
needed with ifupdown-ng.

roles/firewall/templates/interfaces.j2

@@ -1,10 +1,9 @@
 {% set addrs = interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first -%}
 
-source-directory /etc/network/interfaces.d
-
 auto lo
-iface lo inet loopback
-    address {{ wg_ip }}
+iface lo
 {% for address in addrs %}
     address {{ address.address }}
 {% endfor %}
+
+source-directory /etc/network/interfaces.d

roles/firewall/templates/nftables.nft.j2

@@ -146,6 +146,19 @@ table inet filter {
     }
 }
 
+table inet wireguard {
+    chain input {
+        type filter hook prerouting priority raw; policy accept
+        udp dport 51820 notrack \
+        comment "Disable connection tracking for wireguard"
+    }
+    chain output {
+        type route hook output priority raw; policy accept
+        meta mark 51820 meta nfproto ipv4 ip saddr set {{ wg_ip | ipaddr('address') }} notrack \
+        comment "Disable connection tracking and set anycast source IP for wireguard"
+    }
+}
+
 table ip nat {
     include "/etc/nftables.d/interfaces.nft"
     include "/etc/nftables.d/networks.nft"

roles/firewall/templates/wg.intf.j2

@@ -1,5 +1,8 @@
+iface lo
+    address {{ wg_ip }}
+
 auto wg
-iface wg inet static
+iface wg
     use wireguard
 {% if wg_net is defined %}
     address {{ wg_net }}