firewall: do track wireguard connections not meant for us

Oops. Connection tracking is disabled for our wireguard connections
because of source address mangling. We still need to track outside
connections to allow inbound reply packets through the firewall.

roles/firewall/templates/nftables.nft.j2

@@ -149,7 +149,7 @@ table inet filter {
 table inet wireguard {
     chain input {
         type filter hook prerouting priority raw; policy accept
-        udp dport 51820 notrack \
+        ip daddr {{ wg_ip | ipaddr('address') }} udp dport 51820 notrack \
         comment "Disable connection tracking for wireguard"
     }
     chain output {