Fix firewall rules not loading on reboot

- Enable and start nftables service during installation
- Create /etc/nftables.conf that includes /etc/nftables.d/wireguard.conf
- nftables service now loads firewall rules automatically on boot
- Update documentation to reflect proper configuration file paths
- Remove historical VALIDATION.md document
- Clean up documentation references to non-existent scripts

FIREWALL.md

@@ -56,45 +56,7 @@ sudo nft list ruleset
 sudo nft list chain inet wireguard input
 ```
 
-### Enable/disable firewall
-```bash
-sudo nftables-firewall enable
-sudo nftables-firewall disable
-```
-
-### Allow additional ports
-```bash
-sudo nftables-firewall allow 80/tcp
-sudo nftables-firewall allow 443/tcp
-```
-
-### Allow from specific IP
-```bash
-# IPv4
-sudo nftables-firewall allow from 192.168.1.100
-
-# IPv6
-sudo nftables-firewall allow from 2001:db8::/32
-
-# CIDR range
-sudo nftables-firewall allow from 192.168.1.0/24
-```
-
-### Delete a rule
-```bash
-# List rules with numbers
-sudo nft -a list chain inet wireguard input
-
-# Delete by handle number
-sudo nftables-firewall delete <handle_number>
-```
-
-### Reload firewall
-```bash
-sudo nftables-firewall reload
-```
-
-### Manually add a rule
+### Add a rule
 ```bash
 # Allow TCP port 8080
 sudo nft add rule inet wireguard input tcp dport 8080 accept
@@ -103,13 +65,27 @@ sudo nft add rule inet wireguard input tcp dport 8080 accept
 sudo nft add rule inet wireguard input udp dport 53 accept
 ```
 
+### Delete a rule
+```bash
+# List rules with handle numbers
+sudo nft -a list chain inet wireguard input
+
+# Delete by handle number
+sudo nft delete rule inet wireguard input handle <handle_number>
+```
+
+### Reload firewall
+```bash
+sudo nft -f /etc/nftables.d/wireguard.conf
+```
+
 ## Important Notes
 
 1. **SSH is always allowed**: The setup explicitly allows SSH to prevent lockout
 2. **IPv4/IPv6 unified**: Single configuration handles both protocols
 3. **Persistent rules**: nftables rules are saved in `/etc/nftables.d/wireguard.conf`
 4. **No UFW dependency**: Direct nftables implementation
-5. **Automatic on boot**: nftables service starts automatically
+5. **Automatic on boot**: nftables service is enabled and starts automatically, loading rules from `/etc/nftables.conf` (which includes `/etc/nftables.d/wireguard.conf`) on system reboot
 
 ## Troubleshooting
 
@@ -161,7 +137,7 @@ sudo nft list table ip6 nat
 sudo nft flush ruleset
 
 # Reload from config
-sudo nftables-firewall reload
+sudo nft -f /etc/nftables.conf
 ```
 
 ### Debug with counters
@@ -200,7 +176,12 @@ sudo nft add rule inet wireguard input tcp dport 3000 ip saddr @knock update @kn
 
 ## Configuration Files
 
-### Main configuration
+### Main configuration (loaded by nftables service)
+```
+/etc/nftables.conf
+```
+
+### WireGuard rules
 ```
 /etc/nftables.d/wireguard.conf
 ```
@@ -209,21 +190,3 @@ sudo nft add rule inet wireguard input tcp dport 3000 ip saddr @knock update @kn
 ```
 /etc/systemd/system/nftables.service
 ```
-
-### Management script
-```
-/usr/local/sbin/nftables-firewall
-```
-
-## Migration from UFW
-
-If migrating from a UFW-based setup:
-
-| UFW Command | nftables Equivalent |
-|-------------|---------------------|
-| `ufw status` | `nft list ruleset` |
-| `ufw enable` | `nftables-firewall enable` |
-| `ufw disable` | `nftables-firewall disable` |
-| `ufw allow 80/tcp` | `nft add rule inet wireguard input tcp dport 80 accept` |
-| `ufw delete allow 80/tcp` | `nft delete rule inet wireguard input handle <num>` |
-| `ufw reset` | `nft flush ruleset && nftables-firewall reload` |