feat(fw): Renderer-Rewrite + auto-apply + Anti-Lockout

internal/firewall/firewall.go komplett neu: joint zone-iface-mapping (network_interfaces.role), address objects + groups (members expandiert), services + groups, rules, nat-rules. Output: einheitliche View mit Legs (rule × service cross-product) damit das Template kein sub-template/dict braucht. Template: * Anti-Lockout-Block am input-chain-Top (SSH+443 immer erlaubt, KANN nicht von Custom-Rules overruled werden — User-Wunsch). * Rules: pro Leg eine nft-Zeile mit iif/oif sets, ip saddr/daddr, proto+dport, optional log-prefix. * prerouting_nat: iteriert dnat-Rules. * postrouting_nat: snat + masquerade. Auto-apply: FirewallHandler bekommt einen Reloader-Hook der nach jedem POST/PUT/DELETE aufgerufen wird. main.go injected firewall.New(pool).Render — schreibt + sudo nft -f. Sudoers (/etc/sudoers.d/edgeguard): NOPASSWD für 'nft -f /etc/edgeguard/nftables.d/ruleset.nft'. configgen.ReloadService nutzt jetzt sudo (haproxy reload klappte vorher nicht aus dem edgeguard-User). Frontend (Sweep): style={{ marginBottom: 16 }} → className="mb-16" in allen 7 Firewall-Tabs — User-Feedback "globales CSS statt inline". Live auf 89.163.205.6: nft list table inet edgeguard zeigt Anti-Lockout + Baseline + Cluster-Peer-Set + (jetzt noch leere) Custom-Rules-Sektion. render-config postinst-mäßig sauber. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 13:34:06 +02:00
parent e2bdce9271
commit 1b2c0d7411
13 changed files with 542 additions and 161 deletions
--- a/internal/configgen/configgen.go
+++ b/internal/configgen/configgen.go
@@ -16,6 +16,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 )

 // Generator is the contract every per-service renderer satisfies.
@@ -70,17 +71,18 @@ func AtomicWrite(path string, data []byte, mode os.FileMode) error {
 	return nil
 }

-// ReloadService sends `systemctl reload <name>`. Returns the
-// CombinedOutput on failure so the caller can surface the actual
-// systemd error to the operator.
+// ReloadService runs `sudo -n systemctl reload <name>.service`.
+// edgeguard-api runs as the unprivileged `edgeguard` user; postinst
+// installs a sudoers entry NOPASSWD-ing exactly this command per
+// service that needs it.
 //
 // Some services don't support reload (nftables — no daemon); for
 // those, callers should run the service-specific reload directly
 // rather than calling this helper.
 func ReloadService(name string) error {
-	cmd := exec.Command("systemctl", "reload", name)
+	cmd := exec.Command("sudo", "-n", "/usr/bin/systemctl", "reload", name+".service")
 	if out, err := cmd.CombinedOutput(); err != nil {
-		return fmt.Errorf("systemctl reload %s: %w (output: %s)", name, err, string(out))
+		return fmt.Errorf("sudo systemctl reload %s.service: %w (output: %s)", name, err, strings.TrimSpace(string(out)))
 	}
 	return nil
 }