feat(db): Phase 1 — DB-Schema, goose-Migrations, GORM-Models

Initialer Schema-Set (8 Migrationen, 13 Tabellen) für EdgeGuard v1:
users + audit_log + system_settings, ha_nodes, backends/domains/
routing_rules/tls_certs, forward_proxy_acls, wireguard_peers,
firewall_rules, dns_zones/dns_records, licenses. Migrations liegen
in internal/database/migrations/ (analog mail-gateway) und werden
per //go:embed ins Binary gepackt — keine separate SQL-Dateien im
.deb. ValidateMigrations + Test schützen vor Duplicate-Versionen
(mail-gateway 2026-05-08-Vorfall). GORM-Models für alle Tabellen,
sensible Felder (password_hash, private_key_enc) sind json:"-".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/database/migrations/0004_forward_proxy.sql

@@ -0,0 +1,32 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Squid forward-proxy ACL entries. Generator merges all active rows
+-- into /etc/edgeguard/squid/squid.conf via internal/squid templates.
+--
+-- acl_type matches squid's vocabulary: src, dst, dstdomain, port,
+-- proto, time, url_regex, urlpath_regex, ...
+-- action is allow|deny.
+CREATE TABLE IF NOT EXISTS forward_proxy_acls (
+    id         BIGSERIAL PRIMARY KEY,
+    name       TEXT NOT NULL,
+    acl_type   TEXT NOT NULL,
+    value      TEXT NOT NULL,
+    action     TEXT NOT NULL,
+    priority   INTEGER NOT NULL DEFAULT 100,
+    active     BOOLEAN NOT NULL DEFAULT TRUE,
+    comment    TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT forward_proxy_acls_action_check CHECK (action IN ('allow', 'deny'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_forward_proxy_acls_priority ON forward_proxy_acls (priority DESC);
+CREATE INDEX IF NOT EXISTS idx_forward_proxy_acls_active   ON forward_proxy_acls (active) WHERE active;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS forward_proxy_acls;
+-- +goose StatementEnd