feat: add DNS server routes to WireGuard profiles and gateway firewall rules

Add mergeProfileAllowedIPs function to combine policy destinations with DNS server routes in device enrollment and rotation. Add dnsServerRoute helper to convert DNS server IPs to /32 CIDR notation. Update BuildSyncBundle query to include gateway DNS servers in peer data. Add DNSServers field to wireguard.Peer struct. Update gateway nftables configuration to allow UDP/TCP port 53 traffic from assigned IPs to DNS servers before

deploy/scripts/gateway-entrypoint.sh

@@ -114,6 +114,10 @@ EOF
 
     jq -c '.peers[]?' "${STATE_JSON}" | while read -r peer; do
       ASSIGNED_IP=$(printf '%s' "${peer}" | jq -r '.assigned_ip')
+      printf '%s' "${peer}" | jq -r '.dns_servers[]?' | while read -r dns_server; do
+        echo "    iifname \"${IFACE}\" ip saddr ${ASSIGNED_IP} ip daddr ${dns_server} udp dport 53 accept"
+        echo "    iifname \"${IFACE}\" ip saddr ${ASSIGNED_IP} ip daddr ${dns_server} tcp dport 53 accept"
+      done
       printf '%s' "${peer}" | jq -r '.allowed_destinations[]?' | while read -r destination; do
         echo "    iifname \"${IFACE}\" ip saddr ${ASSIGNED_IP} ip daddr ${destination} accept"
       done