feat: finally forward ipv6 traffic

(i know ULA snat is not _the way_, but here we are anyway)

hosts/ward/net.nix

@@ -6,6 +6,7 @@
 }:
 {
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
   networking.hostId = config.repo.secrets.local.networking.hostId;
 
   globals.monitoring.ping.ward = {
@@ -164,7 +165,8 @@
       }
     );
 
-  networking.nftables.firewall = {
+  networking.nftables = {
+    firewall = {
       zones =
         {
           untrusted.interfaces = [ "wan" ];
@@ -198,7 +200,16 @@
             "vlan-guests"
           ];
           to = [ "untrusted" ];
-        masquerade = true;
+          # masquerade = true; NOTE: custom rule below for ip4 + ip6
+          late = true; # Only accept after any rejects have been processed
+          verdict = "accept";
+        };
+
+        # masquerade firezone traffic
+        masquerade-firezone = {
+          from = [ "firezone" ];
+          to = [ "vlan-services" ];
+          # masquerade = true; NOTE: custom rule below for ip4 + ip6
           late = true; # Only accept after any rejects have been processed
           verdict = "accept";
         };
@@ -262,15 +273,6 @@
           verdict = "accept";
         };
 
-      # masquerade firezone traffic
-      masquerade-firezone = {
-        from = [ "firezone" ];
-        to = [ "vlan-services" ];
-        masquerade = true;
-        late = true; # Only accept after any rejects have been processed
-        verdict = "accept";
-      };
-
         # forward firezone traffic
         forward-incoming-firezone-traffic = {
           from = [ "firezone" ];
@@ -286,6 +288,50 @@
       };
     };
 
+    chains.postrouting = {
+      masquerade-firezone = {
+        after = [ "hook" ];
+        late = true;
+        rules =
+          lib.forEach
+            [
+              "firezone"
+            ]
+            (
+              zone:
+              lib.concatStringsSep " " [
+                "meta protocol { ip, ip6 }"
+                (lib.head config.networking.nftables.firewall.zones.${zone}.ingressExpression)
+                (lib.head config.networking.nftables.firewall.zones.vlan-services.egressExpression)
+                "masquerade random"
+              ]
+            );
+      };
+
+      masquerade-internet = {
+        after = [ "hook" ];
+        late = true;
+        rules =
+          lib.forEach
+            [
+              "vlan-services"
+              "vlan-home"
+              "vlan-devices"
+              "vlan-guests"
+            ]
+            (
+              zone:
+              lib.concatStringsSep " " [
+                "meta protocol { ip, ip6 }"
+                (lib.head config.networking.nftables.firewall.zones.${zone}.ingressExpression)
+                (lib.head config.networking.nftables.firewall.zones.untrusted.egressExpression)
+                "masquerade random"
+              ]
+            );
+      };
+    };
+  };
+
   #wireguard.home.server = {
   #  host = todo # config.networking.fqdn;
   #  port = 51192;