fix: add iptables-nft to wg-easy for nftables-only kernels

wg-easy's Alpine wg-quick uses legacy iptables which requires the
iptable_nat kernel module. On NixOS kernels compiled without legacy
netfilter modules, the container crashes in a restart loop:

  iptables v1.8.3 (legacy): can't initialize iptables table 'nat'
  Table does not exist (do you need to insmod?)

Fix: build a custom image that installs Alpine's iptables-nft package
and symlinks iptables -> iptables-nft (nftables backend).

vpn/compose.yml

@@ -2,7 +2,10 @@ version: "3.8"
 
 services:
   wireguard:
-    image: weejewel/wg-easy:latest
+    build:
+      context: ./vpn
+      dockerfile: Dockerfile
+    image: wg-easy-iptables-nft:latest
     container_name: wireguard
     cap_add:
       - NET_ADMIN