fix(unbound): restart statt reload + DNS Auto-FW-Rules dokumentiert

Bug: Unbound bindet Listen-Sockets nur beim startup. Bei einer
Mutation von dns_settings.listen_addresses (z.B. neue LAN-IP für
Resolver-Zugriff) hat 'systemctl reload' die Config zwar gelesen,
aber nicht neu gebound — neue IPs blieben tot.

Fix: Renderer ruft RestartService statt ReloadService. ~200ms
Resolver-Downtime beim Save, dafür konsistentes Verhalten für jede
Settings/Zone/Record-Mutation.

Plus configgen.RestartService Helper neu (analog ReloadService),
sudoers im postinst um systemctl restart unbound.service erweitert.

NOTE für DNS-LAN-Zugang: zwei Operator-FW-Rules nötig (DNS-UDP +
DNS-TCP from any to any) wenn der Resolver auf LAN-IPs lauscht.
Aktuell manuell anzulegen — ein Auto-Rule-Generator (analog
NAT-auto-forward) wäre die nächste Iteration.

Version 1.0.36.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/configgen/configgen.go

@@ -87,6 +87,18 @@ func ReloadService(name string) error {
 	return nil
 }
 
+// RestartService runs `sudo -n systemctl restart <name>.service`.
+// Use over ReloadService when the daemon needs to re-read more than
+// just rules — e.g. unbound rebinds listen-sockets only on startup,
+// so a settings.listen_addresses change requires restart.
+func RestartService(name string) error {
+	cmd := exec.Command("sudo", "-n", "/usr/bin/systemctl", "restart", name+".service")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("sudo systemctl restart %s.service: %w (output: %s)", name, err, strings.TrimSpace(string(out)))
+	}
+	return nil
+}
+
 // EtcEdgeguard is the on-target config root. Templated path used by
 // all renderers — never let renderers hard-code their own.
 const EtcEdgeguard = "/etc/edgeguard"