feat(db): Phase 1 — DB-Schema, goose-Migrations, GORM-Models

Initialer Schema-Set (8 Migrationen, 13 Tabellen) für EdgeGuard v1:
users + audit_log + system_settings, ha_nodes, backends/domains/
routing_rules/tls_certs, forward_proxy_acls, wireguard_peers,
firewall_rules, dns_zones/dns_records, licenses. Migrations liegen
in internal/database/migrations/ (analog mail-gateway) und werden
per //go:embed ins Binary gepackt — keine separate SQL-Dateien im
.deb. ValidateMigrations + Test schützen vor Duplicate-Versionen
(mail-gateway 2026-05-08-Vorfall). GORM-Models für alle Tabellen,
sensible Felder (password_hash, private_key_enc) sind json:"-".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/models/tls_cert.go

@@ -0,0 +1,20 @@
+package models
+
+import "time"
+
+type TLSCert struct {
+	ID             int64      `gorm:"primaryKey"                  json:"id"`
+	Domain         string     `gorm:"column:domain;uniqueIndex"   json:"domain"`
+	Issuer         string     `gorm:"column:issuer"               json:"issuer"`
+	Status         string     `gorm:"column:status"               json:"status"`
+	CertPath       *string    `gorm:"column:cert_path"            json:"cert_path,omitempty"`
+	KeyPath        *string    `gorm:"column:key_path"             json:"key_path,omitempty"`
+	NotBefore      *time.Time `gorm:"column:not_before"           json:"not_before,omitempty"`
+	NotAfter       *time.Time `gorm:"column:not_after"            json:"not_after,omitempty"`
+	LastRenewedAt  *time.Time `gorm:"column:last_renewed_at"      json:"last_renewed_at,omitempty"`
+	LastError      *string    `gorm:"column:last_error"           json:"last_error,omitempty"`
+	CreatedAt      time.Time  `gorm:"column:created_at"           json:"created_at"`
+	UpdatedAt      time.Time  `gorm:"column:updated_at"           json:"updated_at"`
+}
+
+func (TLSCert) TableName() string { return "tls_certs" }