WireGuard via NM .nmconnection + sudoers-Fix fuer macOS-Installer

- sudoers: macOS-Version durch Linux-Standard ersetzen (secure_path,
  @includedir /etc/sudoers.d), NOPASSWD fuer rene
- WireGuard: statt wg-quick .nmconnection direkt schreiben mit DNS,
  dns-search ~., autoconnect, persistent Keys (private-key-flags=0)
- m13.conf/m16.conf: PostUp/PostDown entfernt (wg-quick-spezifisch)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

setup-base.sh

@@ -40,6 +40,23 @@ echo "════════════════════════
 echo " setup-base.sh für MBP $MODEL\" startet"
 echo "════════════════════════════════════════════"
 
+# ── 0. sudoers reparieren (macOS-Installer hinterlässt macOS-sudoers) ──────
+echo -e "\n=== 0/11 sudoers ==="
+cat > /etc/sudoers <<'SUDOEOF'
+Defaults   env_reset
+Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+root    ALL=(ALL:ALL) ALL
+%sudo   ALL=(ALL:ALL) ALL
+
+@includedir /etc/sudoers.d
+SUDOEOF
+chmod 440 /etc/sudoers
+# Passwordless sudo fuer rene
+echo "rene ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rene
+chmod 440 /etc/sudoers.d/rene
+ok "sudoers: Linux-Standard + NOPASSWD fuer rene"
+
 # ── 1. Kritische Hardware-Fixes ZUERST (vor allem anderen) ───────────────
 echo -e "\n=== 1/11 Hardware-Fixes ==="
 
@@ -155,16 +172,55 @@ else
         chmod +x /usr/local/bin/temp-watch.sh || warn "temp-watch.sh Download fehlgeschlagen"
 fi
 
-# WireGuard-Config
-if [[ -n "$REPO_DIR" && -f "$REPO_DIR/wireguard/m${MODEL}.conf" ]]; then
-    mkdir -p /etc/wireguard
-    cp "$REPO_DIR/wireguard/m${MODEL}.conf" /etc/wireguard/wg0.conf
-    chmod 600 /etc/wireguard/wg0.conf
-    systemctl enable wg-quick@wg0 2>/dev/null || true
-    # Stub-Resolver noetig fuer Flatpak-Apps (Brave, PrusaSlicer)
-    # DNS wird per PostUp/PostDown in der wg-Config via resolvectl gesetzt
-    ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
-    ok "WireGuard m${MODEL}.conf → /etc/wireguard/wg0.conf"
+# WireGuard via NetworkManager (.nmconnection direkt schreiben, kein nmcli noetig)
+WG_CONF="$REPO_DIR/wireguard/m${MODEL}.conf"
+if [[ -n "$REPO_DIR" && -f "$WG_CONF" ]]; then
+    # Alte wg-quick-Config entfernen falls vorhanden
+    systemctl disable --now wg-quick@wg0 2>/dev/null || true
+    # Werte aus der WireGuard-Conf lesen
+    WG_PRIVKEY=$(grep -oP 'PrivateKey\s*=\s*\K.*' "$WG_CONF")
+    WG_LISTEN=$(grep -oP 'ListenPort\s*=\s*\K.*' "$WG_CONF")
+    WG_ADDR=$(grep -oP 'Address\s*=\s*\K.*' "$WG_CONF")
+    WG_PUBKEY=$(grep -oP 'PublicKey\s*=\s*\K.*' "$WG_CONF")
+    WG_PSK=$(grep -oP 'PresharedKey\s*=\s*\K.*' "$WG_CONF")
+    WG_ALLOWED=$(grep -oP 'AllowedIPs\s*=\s*\K.*' "$WG_CONF" | tr -d ' ')
+    WG_ENDPOINT=$(grep -oP 'Endpoint\s*=\s*\K.*' "$WG_CONF")
+    WG_KEEPALIVE=$(grep -oP 'PersistentKeepalive\s*=\s*\K.*' "$WG_CONF")
+    # NM-Verbindungsdatei direkt schreiben (laeuft als root, Keys persistent)
+    NM_CONN_DIR="/etc/NetworkManager/system-connections"
+    mkdir -p "$NM_CONN_DIR"
+    cat > "$NM_CONN_DIR/wg0.nmconnection" <<WGEOF
+[connection]
+id=wg0
+type=wireguard
+interface-name=wg0
+autoconnect=true
+
+[wireguard]
+listen-port=$WG_LISTEN
+private-key=$WG_PRIVKEY
+private-key-flags=0
+
+[wireguard-peer.${WG_PUBKEY}]
+preshared-key=$WG_PSK
+preshared-key-flags=0
+allowed-ips=$WG_ALLOWED;
+endpoint=$WG_ENDPOINT
+persistent-keepalive=$WG_KEEPALIVE
+
+[ipv4]
+method=manual
+address1=$WG_ADDR
+dns=10.47.11.20;10.47.11.1;
+dns-search=~.;
+
+[ipv6]
+method=ignore
+WGEOF
+    chmod 600 "$NM_CONN_DIR/wg0.nmconnection"
+    nmcli connection reload 2>/dev/null || true
+    nmcli connection up wg0 2>/dev/null || true
+    ok "WireGuard wg0.nmconnection geschrieben (DNS: 10.47.11.20, 10.47.11.1, autoconnect)"
 else
     warn "WireGuard: keine lokale Config gefunden — manuell einrichten"
 fi