feat(ufw): auto-open firewall ports after app installation

- cloudpanel: allow ftp, smtp, dns, http, https, smtps, imaps, pop3s, and admin panel ports
- coolify: allow http, https, and dashboard port after install
- pterodactyl: allow http, https, wings daemon (8080), and sftp (2022) ports
- uptime-kuma: allow app port on install
- proxmox: add open_firewall_ports() with ufw guard checks and new menu option [9]

lib/common.sh

@@ -122,6 +122,25 @@ apt_noninteractive() {
     echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections 2>/dev/null || true
 }
 
+# Add a UFW allow rule, but only if UFW is installed AND active. No-op
+# otherwise — so app installers can declare the ports they need without
+# forcing UFW on hosts that don't use it.
+#
+# Usage:
+#   ufw_allow 8000/tcp "Coolify dashboard"
+#   ufw_allow 80/tcp
+ufw_allow() {
+    command -v ufw >/dev/null 2>&1 || return 0
+    ufw status 2>/dev/null | grep -q "Status: active" || return 0
+    local rule=$1 comment=${2:-}
+    if [ -n "$comment" ]; then
+        ufw allow "$rule" comment "$comment" >/dev/null
+    else
+        ufw allow "$rule" >/dev/null
+    fi
+    ok "UFW: allowed ${rule}${comment:+ (${comment})}"
+}
+
 # Wait for other apt/dpkg processes to release their locks. Up to 120s.
 wait_for_apt() {
     command -v apt >/dev/null 2>&1 || return 0