feat(init): pass mgmt + container pools to coold as builder deny nets

When --enable-builder is set, populate BuilderConfig.DenyNets with
the mesh management pool (default 100.64.0.0/16) and the container
pool (default 10.210.0.0/16). coold emits these as
COOLD_BUILDER_DENY_NETS, which the builder adapter expands into
systemd IPAddressDeny entries for every build subprocess.

This keeps the policy in sync with the operator's actual --wg-mgmt-pool
and --container-pool choices without hard-coding RFC1918 defaults.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/services/coold.go

@@ -53,7 +53,8 @@ type BrokerConfig struct {
 // spawns build subprocesses. nil means the capability is disabled and no
 // COOLD_BUILDER_* env vars are emitted.
 type BuilderConfig struct {
-	Capacity int // concurrent builds the host accepts; 0 falls back to 2
+	Capacity int      // concurrent builds the host accepts; 0 falls back to 2
+	DenyNets []string // extra CIDRs to deny at systemd-run IPAddressDeny level
 }
 
 // CooldServiceUnitWithBroker is like CooldServiceUnit but injects broker env
@@ -102,11 +103,13 @@ Environment=COOLD_HOST_JWT_PATH=%s
 		if capacity <= 0 {
 			capacity = 2
 		}
+		denyNets := strings.Join(builder.DenyNets, ",")
 		builderEnv = fmt.Sprintf(`Environment=COOLD_BUILDER_ENABLED=true
 Environment=COOLD_BUILDER_WORK_DIR=%s
 Environment=COOLD_BUILDER_CAPACITY=%d
 Environment=COOLD_BUILDER_BIN=%s
-`, BuilderWorkDir, capacity, BuilderBinaryPath)
+Environment=COOLD_BUILDER_DENY_NETS=%s
+`, BuilderWorkDir, capacity, BuilderBinaryPath, denyNets)
 		builderPre = fmt.Sprintf("ExecStartPre=/bin/mkdir -p %s\n", BuilderWorkDir)
 	}
 

internal/wireguard/apply.go

@@ -637,7 +637,17 @@ func phase5PerHost(
 	}
 	var builderCfg *services.BuilderConfig
 	if desired.EnableBuilder {
-		builderCfg = &services.BuilderConfig{Capacity: desired.BuilderCapacity}
+		denyNets := []string{}
+		if desired.MgmtPool != nil {
+			denyNets = append(denyNets, desired.MgmtPool.String())
+		}
+		if desired.ContainerPool != nil {
+			denyNets = append(denyNets, desired.ContainerPool.String())
+		}
+		builderCfg = &services.BuilderConfig{
+			Capacity: desired.BuilderCapacity,
+			DenyNets: denyNets,
+		}
 	}
 	cooldUnit := services.CooldServiceUnitWithBroker(mgmtIP, nsConfigs, broker, builderCfg)
 	updateCmd := heredocWrite("/etc/systemd/system/coold.service",

scripts/e2e-mesh.sh

@@ -242,12 +242,12 @@ if ssh_exec "$SERVER_A" "test -f /etc/coolify/jwt.priv" >/dev/null 2>&1; then
   for _ in 1 2 3 4 5 6 7 8 9 10; do
     sleep 2
     for host in "$SERVER_A" "$SERVER_B"; do
-      if ssh_exec "$host" "systemctl list-units --no-legend --plain 'coolify-build-*.scope' 2>/dev/null | grep -q $CAN_ID"; then
+      if ssh_exec "$host" "systemctl list-units --no-legend --plain 'coolify-build-*.service' 2>/dev/null | grep -q $CAN_ID"; then
         SCOPE_HOST="$host"; break 2
       fi
     done
   done
-  [[ -n "$SCOPE_HOST" ]] || fail "scope coolify-build-$CAN_ID.scope never appeared"
+  [[ -n "$SCOPE_HOST" ]] || fail "scope coolify-build-$CAN_ID.service never appeared"
   printf '  scope running on %s ✓\n' "$SCOPE_HOST"
 
   ssh_exec "$SERVER_A" "redis-cli XADD build:cmd '*' payload '$CAN_MSG'" >/dev/null
@@ -262,8 +262,8 @@ if ssh_exec "$SERVER_A" "test -f /etc/coolify/jwt.priv" >/dev/null 2>&1; then
   done
   echo "$RESP" | grep -q '"stage":"cancel"' || fail "expected stage=cancel in response, got: $RESP"
 
-  if ssh_exec "$SCOPE_HOST" "systemctl is-active coolify-build-$CAN_ID.scope >/dev/null 2>&1"; then
-    fail "scope still active after cancel: coolify-build-$CAN_ID.scope"
+  if ssh_exec "$SCOPE_HOST" "systemctl is-active coolify-build-$CAN_ID.service >/dev/null 2>&1"; then
+    fail "scope still active after cancel: coolify-build-$CAN_ID.service"
   fi
   printf '  OK: cancel SIGTERM killed cgroup; stage=cancel ✓\n'
 else