nixos/wireguard: add option to set firewall mark

Wireguard can tag its packets with a firewall mark. This can be used for
firewalls or policy routing. This is very useful in some setups where
all traffic should go through a wireguard interface. The wireguard
packets cannot go through the wireguard interface and must be routed
differently, which can be done via the Firewall Mark.

The nixos option `config.networking.wireguard.interface.<name>.fwMark`
is of type `types.str` and not `types.int` to allow for specifying the
mark as a hexadecimal value.

nixos/modules/services/networking/wireguard.nix

@@ -137,6 +137,20 @@ let
         See [documentation](https://www.wireguard.com/netns/).
         '';
       };
+
+      fwMark = mkOption {
+        default = null;
+        type = with types; nullOr str;
+        example = "0x6e6978";
+        description = lib.mdDoc ''
+          Mark all wireguard packets originating from
+          this interface with the given firewall mark. The firewall mark can be
+          used in firewalls or policy routing to filter the wireguard packets.
+          This can be useful for setup where all traffic goes through the
+          wireguard tunnel, because the wireguard packets need to be routed
+          differently.
+        '';
+      };
     };
 
   };
@@ -406,6 +420,7 @@ let
           ${concatStringsSep " " (
             [ ''${wg} set "${name}" private-key "${privKey}"'' ]
             ++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"''
+            ++ optional (values.fwMark != null) ''fwmark "${values.fwMark}"''
           )}
 
           ${ipPostMove} link set up dev "${name}"