Add cloud-router configuration templates and scripts

- Introduced debian templates for cloud-router configuration parameters.
- Added simple-ca.sh script for managing a minimal Certificate Authority (CA) for IKEv2 PKI.
- Created sysctl configuration to enable IP forwarding and adjust rp_filter settings.
- Implemented configure script to render configuration files using Jinja2 templates.
- Added simple-ca script for generating CA and certificates.
- Created Jinja2 templates for various configuration files including netplan, strongSwan, and WireGuard.
- Implemented UFW rules setup for IPsec and WireGuard.
- Added support for road-warrior and site-to-site VPN configurations.

debian/templates

@@ -0,0 +1,80 @@
+Template: cloud-router/local_addrs
+Type: string
+Description: Local WAN IP address(es)
+ Comma-separated list of local WAN IP addresses that strongSwan binds on
+ for the site-to-site and road-warrior tunnels (e.g. 10.1.2.3).
+
+Template: cloud-router/local_fqdn
+Type: string
+Description: Local router FQDN
+ Fully-qualified domain name of this router (e.g. router.example.com).
+ Used as the road-warrior server identity and certificate CN.
+
+Template: cloud-router/local_id_mode
+Type: select
+Choices: fqdn, public_ip, internal_ip
+Default: fqdn
+Description: IKE local identity mode
+ How to derive the IKE identity advertised to the remote site:
+  fqdn        — use the FQDN (default; requires matching on remote side)
+  public_ip   — resolve the public IP from DNS at first boot
+  internal_ip — use the local WAN IP address
+
+Template: cloud-router/local_cidrs
+Type: string
+Description: Local subnet CIDR(s)
+ Comma-separated list of local subnet CIDRs to advertise into the
+ site-to-site tunnel (e.g. 10.0.0.0/24 or 10.0.0.0/24,10.0.1.0/24).
+
+Template: cloud-router/remote_addrs
+Type: string
+Description: Remote site WAN IP address(es)
+ Comma-separated list of remote site WAN IP addresses for the
+ site-to-site IPSec tunnel.
+
+Template: cloud-router/remote_id
+Type: string
+Description: Remote site IKE identity
+ IKE identity of the remote peer (FQDN, without leading @).
+
+Template: cloud-router/psk
+Type: password
+Description: Pre-shared key (PSK)
+ Pre-shared key for the site-to-site IKEv2 tunnel. Must match the
+ value configured on the remote peer.
+
+Template: cloud-router/remote_cidrs
+Type: string
+Description: Remote subnet CIDR(s)
+ Comma-separated list of remote subnet CIDRs for the site-to-site
+ tunnel (e.g. 192.168.0.0/24).
+
+Template: cloud-router/router_int_gateway_ip
+Type: string
+Description: Internal network gateway IP
+ IP address of the next-hop gateway on the internal NIC (eth1).
+ Used in the netplan route for the local subnet.
+
+Template: cloud-router/p2s_address_pool
+Type: string
+Description: Road-warrior address pool
+ CIDR block assigned to road-warrior VPN clients (e.g. 172.16.0.0/24).
+
+Template: cloud-router/wg_enabled
+Type: boolean
+Default: false
+Description: Enable WireGuard VPN?
+ If true, WireGuard is configured on wg0 and its UFW rules are installed.
+
+Template: cloud-router/wg_address
+Type: string
+Default: 10.0.1.1/24
+Description: WireGuard interface address
+ IP address and prefix length for the wg0 interface (e.g. 10.0.1.1/24).
+ Only used when WireGuard is enabled.
+
+Template: cloud-router/wg_listen_port
+Type: string
+Default: 51820
+Description: WireGuard listen port
+ UDP port that WireGuard listens on. Only used when WireGuard is enabled.