fix(api): Service-Mutationen rendern jetzt auch FW automatisch

Bug: Wenn der Operator eine NTP/DNS/Squid/WG-Mutation gemacht hat,
wurde nur der Service neu konfiguriert + reloadet — die Auto-FW-
Rules (udp/123, udp/tcp 53, tcp 3128, udp/<wg-port>) blieben aber
auf dem Stand des letzten firewall-renders. Operator musste manuell
'edgeguard-ctl render-config --only=nftables' fahren.

Fix: withFW-Wrapper in main.go der nach jedem Service-Reloader auch
den firewall-Renderer aufruft. Service-Reload-Errors propagieren
weiterhin (Aktion gilt als gescheitert), FW-Render-Errors werden
nur geloggt (DB-Row ist commited, FW kann nachgezogen werden).

Wirkt für: WG, Squid, DNS, NTP. (HAProxy nicht — Domains/Backends
generieren keine Auto-FW-Rules.)

Version 1.0.41.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cmd/edgeguard-api/main.go

@@ -45,7 +45,7 @@ import (
 	wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
 )
 
-var version = "1.0.40"
+var version = "1.0.41"
 
 func main() {
 	addr := os.Getenv("EDGEGUARD_API_ADDR")
@@ -184,33 +184,54 @@ func main() {
 		}
 		handlers.NewFirewallHandler(fwZones, fwAddrObj, fwAddrGrp, fwSvc, fwSvcGrp, fwRules, fwNAT, auditRepo, nodeID, fwReloader, pool).Register(authed)
 
+		// withFW wraps a service-reloader so that AFTER the service is
+		// reloaded, the firewall is also re-rendered. Necessary for
+		// services whose state feeds the auto-FW-rule generator (DNS
+		// listen-IPs, Squid ACL count, WG listen-port, NTP serve-clients).
+		// Service-Reload-Errors propagieren; FW-Errors werden nur
+		// geloggt (DB-Row ist commited, FW kann nachgezogen werden).
+		withFW := func(svc func(context.Context) error) func(context.Context) error {
+			return func(ctx context.Context) error {
+				if err := svc(ctx); err != nil {
+					return err
+				}
+				if err := fwReloader(ctx); err != nil {
+					slog.Warn("firewall: re-render after service mutation failed", "error", err)
+				}
+				return nil
+			}
+		}
+
 		// WireGuard reload: re-render /etc/edgeguard/wireguard/*.conf
 		// + restart wg-quick@<iface>. Same pattern as the haproxy +
-		// firewall reloaders.
+		// firewall reloaders. WG braucht FW-Trigger (server-mode
+		// listen-port wird Auto-Rule).
 		wgReloader := func(ctx context.Context) error {
 			return wgrender.New(pool, secretsBox).Render(ctx)
 		}
-		handlers.NewWireguardHandler(wgIfaces, wgPeers, secretsBox, auditRepo, nodeID, wgReloader).Register(authed)
+		handlers.NewWireguardHandler(wgIfaces, wgPeers, secretsBox, auditRepo, nodeID, withFW(wgReloader)).Register(authed)
 
 		// Squid forward-proxy reload — re-render squid.conf + reload
-		// squid.service. sudoers im postinst whitelistet das.
+		// squid.service. sudoers im postinst whitelistet das. ACL-Count
+		// triggert Auto-FW-Rule für tcp/3128.
 		squidReloader := func(ctx context.Context) error {
 			return squidrender.New(pool).Render(ctx)
 		}
-		handlers.NewForwardProxyHandler(fwdProxyRepo, auditRepo, nodeID, squidReloader).Register(authed)
+		handlers.NewForwardProxyHandler(fwdProxyRepo, auditRepo, nodeID, withFW(squidReloader)).Register(authed)
 
-		// Unbound DNS reload — re-render edgeguard.conf + reload
-		// unbound.service.
+		// Unbound DNS reload — re-render edgeguard.conf + restart
+		// unbound. Listen-IPs triggern Auto-FW-Rule für udp/tcp 53.
 		unboundReloader := func(ctx context.Context) error {
 			return unboundrender.New(pool).Render(ctx)
 		}
-		handlers.NewDNSHandler(dnsRepo, auditRepo, nodeID, unboundReloader).Register(authed)
+		handlers.NewDNSHandler(dnsRepo, auditRepo, nodeID, withFW(unboundReloader)).Register(authed)
 
-		// Chrony NTP reload — re-render edgeguard.conf + reload chrony.
+		// Chrony NTP reload — re-render edgeguard.conf + restart chrony.
+		// Listen-IPs + serve_clients triggern Auto-FW-Rule für udp/123.
 		chronyReloader := func(ctx context.Context) error {
 			return chronyrender.New(pool).Render(ctx)
 		}
-		handlers.NewNTPHandler(ntpRepo, auditRepo, nodeID, chronyReloader).Register(authed)
+		handlers.NewNTPHandler(ntpRepo, auditRepo, nodeID, withFW(chronyReloader)).Register(authed)
 	}
 
 	mountUI(r)