Move Hetzner firewall rules into a separate data file

Extract the per-firewall rule data out of control's configuration into
modules/hetzner-firewall-rules.nix, imported like the DNS domains list.
The evaluated rules are unchanged.

modules/hetzner-firewall-rules.nix

@@ -0,0 +1,35 @@
+# Hetzner Cloud firewall rules, keyed by firewall name. Imported by
+# machines/control/configuration.nix and fed to cnx.hetznerFirewall.firewalls.
+#
+# Public SSH (22) is intentionally absent: admin access rides the ZeroTier mesh
+# (inside UDP 9993), with emergency-access as the console fallback.
+let
+  world = [ "0.0.0.0/0" "::/0" ];
+
+  zerotier = {
+    direction = "in";
+    protocol = "udp";
+    port = "9993";
+    source_ips = world;
+    description = "ZeroTier";
+  };
+
+  ping = {
+    direction = "in";
+    protocol = "icmp";
+    source_ips = world;
+    description = "ICMP (ping / PMTUD)";
+  };
+
+  dnsRules = [
+    { direction = "in"; protocol = "udp"; port = "53"; source_ips = world; description = "DNS (UDP)"; }
+    { direction = "in"; protocol = "tcp"; port = "53"; source_ips = world; description = "DNS (TCP)"; }
+    zerotier
+    ping
+  ];
+in
+{
+  "clan-control" = [ zerotier ping ];
+  "clan-ns1" = dnsRules;
+  "clan-ns2" = dnsRules;
+}