feat(configgen): Phase 2 Config-Generator + nginx → HAProxy-only Pivot

Architektur-Pivot: nginx fällt komplett weg. HAProxy 2.8+ übernimmt
TLS-Termination, L7-Routing per Host-Header und LB. ACME-Webroot
und Management-UI werden von edgeguard-api ausgeliefert (Phase 3
implementiert die zugehörigen Handler); HAProxy proxied
/.well-known/acme-challenge/* und Management-FQDN-Traffic an
127.0.0.1:9443. Eine Distro-Abhängigkeit weniger, ein Renderer
weniger, sauberere Trennung.

Renderer (alle mit Embed-Templates + Tests):
* internal/configgen/  — atomic write + systemctl reload helpers
* internal/haproxy/    — :80 + :443, ACME-ACL, Host-Header-Routing,
                         Stats-Frontend, api_backend Fallback
* internal/firewall/   — default-deny input, stateful baseline,
                         SSH-Rate-Limit, :80/:443 accept,
                         Cluster-Peer-Set für mTLS :8443,
                         Custom-Rules aus PG
* internal/{squid,wireguard,unbound}/ — Stubs (ErrNotImplemented)

Orchestrator + CLI:
* internal/services/configorch/  — fester Reihenfolge-Run, Stubs
                                   sind soft-skip statt fatal
* cmd/edgeguard-ctl render-config [--no-reload] [--only=svc1,svc2]

Packaging:
* postinst: /etc/edgeguard/nginx raus, /var/lib/edgeguard/acme rein,
  self-signed _default.pem via openssl req (damit HAProxy startet
  bevor certbot etwas issuet hat)
* control: Depends nginx raus, openssl rein
* edgeguard-ui: dependency auf nginx weg, "Served by edgeguard-api
  gin StaticFS"

Live-Smoke: render-config gegen lokale PG schreibt /etc/edgeguard/
haproxy/haproxy.cfg + nftables.d/ruleset.nft korrekt; CRUD-Test aus
Phase 2 läuft weiter unverändert.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

packaging/debian/edgeguard-api/DEBIAN/postinst

@@ -21,13 +21,35 @@ case "$1" in
 
         # ── Directories ──────────────────────────────────────────────
         for d in /etc/edgeguard /var/lib/edgeguard /var/log/edgeguard \
-                 /etc/edgeguard/haproxy /etc/edgeguard/nginx \
-                 /etc/edgeguard/squid /etc/edgeguard/wireguard \
-                 /etc/edgeguard/unbound /etc/edgeguard/nftables.d \
-                 /etc/edgeguard/tls; do
+                 /etc/edgeguard/haproxy /etc/edgeguard/squid \
+                 /etc/edgeguard/wireguard /etc/edgeguard/unbound \
+                 /etc/edgeguard/nftables.d /etc/edgeguard/tls \
+                 /var/lib/edgeguard/acme; do
             install -d -m 0750 -o "$EG_USER" -g "$EG_USER" "$d"
         done
 
+        # ── Self-signed default cert so HAProxy starts cleanly ───────
+        # HAProxy `bind :443 ssl crt /etc/edgeguard/tls/` needs at least
+        # one PEM in the directory to come up. Operator runs certbot
+        # later; until then, browsers see an unverified cert which is
+        # the expected first-boot UX.
+        DEFAULT_PEM="/etc/edgeguard/tls/_default.pem"
+        if [ ! -f "$DEFAULT_PEM" ]; then
+            HOSTNAME_FQDN="$(hostname -f 2>/dev/null || hostname)"
+            TMP_KEY="$(mktemp)"
+            TMP_CRT="$(mktemp)"
+            openssl req -x509 -nodes -newkey rsa:2048 \
+                -keyout "$TMP_KEY" -out "$TMP_CRT" \
+                -days 3650 \
+                -subj "/CN=$HOSTNAME_FQDN" \
+                -addext "subjectAltName = DNS:$HOSTNAME_FQDN,DNS:localhost" \
+                >/dev/null 2>&1
+            cat "$TMP_CRT" "$TMP_KEY" > "$DEFAULT_PEM"
+            chown "$EG_USER:$EG_USER" "$DEFAULT_PEM"
+            chmod 0640 "$DEFAULT_PEM"
+            rm -f "$TMP_KEY" "$TMP_CRT"
+        fi
+
         # ── Pre-flight: validate embedded migration set ──────────────
         # Catches duplicate version prefixes BEFORE we touch the DB,
         # so a broken upgrade can't half-apply migrations and leave