net-tools: multi-segment WireGuard hub model + bin/wg-render
Adds the missing reconciler piece: render each host's /etc/wireguard/wg1.conf
from data/mesh-hosts.json (WG config was previously hand-built).
- mesh.segments maps <segment> -> {hub, endpoint, dns_host, dns_listen}; hosts
carry `segment` + `wg_pubkey` (public key only). iceland(yuzu) and nyc3(citron)
are independent stars. Legacy single-hub (mesh.hub) still works as fallback.
- bin/wg-render: --keygen/--pubkey bootstrap, --dry-run/--whoami inspect,
--apply installs + `wg syncconf` (idempotent, rollback). Hub gets a [Peer] per
spoke + ip_forward/MASQUERADE; spoke gets one [Peer] = its hub. WG_RENDER_SELF
override for tests/ops.
- bin/wg-dns-sync: segment-aware listen — a segment's dns_host binds its own
dns_listen (citron serves nyc3 on 10.9.0.7; apricot unchanged on 10.9.0.2).
- Registers citron (com.uvlava.quinn.infra, nyc3 hub) + nyc3 keys for lime;
carries the com.uvlava.ct.* DO-name aliases. Tests cover hub/spoke/dns.
(data/mesh-hosts.json also carries pre-existing working-tree normalization:
literal em-dash -> — escapes and expanded alias arrays.)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
de1f7f2dec