nftui v1.0.0

The first stable release. Broadens the installation paths (Debian / RPM, Alpine / Arch / OpenWrt packages, a Docker image, plus community Gentoo / AUR references), proves the reproducibility and Nix-flake claims v0.9.0 only asserted with dedicated CI lanes, makes the binary self-identifying (--version), ships a Go-module dependency tarball for offline source builds, and closes the last renderer gap (IPv6 source / destination addresses). Everything in v0.9.0 plus the full post-v0.9.0 candidate pool.

Added

• --version CLI flag (v1.0.0 item V-1): nftui --version prints nftui <version> to stdout and exits 0. The release version is injected at build time via Goreleaser -ldflags '-X main.version={{ .Version }}'; a source build falls back to the Go build-info module version (set for go install <module>@vX.Y.Z), and finally to dev for a plain go build. Pre-scanned before flag.Parse (like --help), so it works regardless of other flags; surfaced in --help output and the man page OPTIONS. Pure resolveVersion / writeVersion seams in flags.go are unit-tested.
• Debian / RPM packages (v1.0.0 item V-2): every release now attaches .deb and .rpm packages for amd64 and arm64, built from the same nftui binary as the archives via an nfpms: block in .goreleaser.yaml (nfpm, pure-Go — no rpmbuild/dpkg-dev needed). They install the binary to /usr/bin, the man page to /usr/share/man/man1, and the docs under /usr/share/doc/nftui, and declare a runtime dependency on nftables (nftui shells out to nft(8) for --config load and table/chain rename). The packages are folded into checksums.txt, so the existing keyless cosign signature over the checksum file covers them too. New README "Prebuilt packages" install subsection.
• Alpine, Arch, and OpenWrt packages (v1.0.0 item V-3): the nfpms: block now also emits .apk (Alpine), .pkg.tar.zst (Arch — via nfpm's archlinux format, installable with pacman -U, no AUR account needed), and .ipk (OpenWrt/opkg) — five package formats total, all from the same nftui binary and folded into checksums.txt. OpenWrt's migration from opkg to apk means the .apk should also serve newer apk-based OpenWrt on matching architectures. nftui deliberately does not auto-publish to the AUR; instead a community-maintainable reference packaging/aur/PKGBUILD (a -bin package over the release tarball) is provided, and the release .pkg.tar.zst installs natively without the AUR. README "Prebuilt packages" subsection expanded with a per-format install table. Community-maintainable reference packaging for source distros is also provided on a not-published basis: packaging/aur/PKGBUILD (Arch -bin) and a Gentoo packaging set under packaging/gentoo/ — nftui-0.9.0.ebuild (from source via go-module.eclass) and nftui-bin-0.9.0.ebuild (prebuilt binary), which block each other since both install /usr/bin/nftui, a shared metadata.xml, and a README.md covering overlay setup and the source build's dependency-tarball requirement.
• Reproducible-build CI check (v1.0.0 item V-4): a new reproducibility job in .github/workflows/ci.yml builds the release binaries twice with goreleaser build --snapshot and fails if the two differ, verifying that the mod_timestamp + -trimpath + CGO_ENABLED=0 build is byte-for-byte reproducible (only the compiled binaries are compared; archive / package containers are out of scope). Gated on the unit-test job so it skips a non-compiling commit. Validated locally: two independent builds produced identical amd64 and arm64 binaries.
• Nix flake CI lane (v1.0.0 item V-5): a new nix job in .github/workflows/ci.yml installs Nix (cachix/install-nix-action) and runs nix flake check + nix build .#default, building flake.nix end-to-end on every push — closing the gap that the flake was hand-validated against the buildGoModule schema in v0.9.0 but never actually built. Gated on the unit-test job. One-time bootstrap: flake.nix ships vendorHash = lib.fakeHash, so the first CI run fails and prints the real sha256-... to pin into flake.nix; the lane then guards the hash against go.sum drift.
• Go module dependency tarball in the release (v1.0.0 item V-7): .github/workflows/release.yml now generates a reproducible nftui-<ver>-deps.tar.xz (via scripts/gen-deps-tarball.sh — the GOMODCACHE from go mod download -modcacherw, packed with deterministic tar + single-threaded xz, mtime pinned to the tagged commit) and gh release uploads it to each release from v1.0.0 onward. It makes offline source builds work without a maintainer-hosted tarball — chiefly the from-source Gentoo ebuild, whose go-module.eclass forbids network access during the build. Integrity is rooted in go.sum (every module hash is pinned, and go.sum ships in the repo + source archive) and the tarball is covered by the SLSA build-provenance attestation (gh attestation verify); it is not added to checksums.txt (cosign has already signed that by then). Verified locally to be byte-reproducible across two builds.
• IPv6 source/destination address rendering (v1.0.0 item V-6): the rule renderer's payloadToHumanReadable path now recognizes IPv6 saddr / daddr (the 16-byte network-header fields at offsets 8 / 24) and renders them with the ip6 qualifier and a proper v6 address / CIDR — previously these fell through to a raw payload[network header+8:16] == 0x… hex form. Covers exact addresses, byte-aligned / bitwise CIDRs, and anonymous-set forms (ip6 saddr { … }). Test-first: payloadToHumanReadable + ruleToHumanReadableWithSets unit cases, new manual-test fixtures in examples/example-nftables-01.conf (ip6 ip6_hdr_demo), and a root integration test (TestIntegration_IPv6AddressRoundtrip) round-tripping the forms through the live kernel. Resolves the v0.9.0 audit follow-up L-6.
• Docker image: a root Dockerfile (multi-stage — golang:1.25.8-alpine build, alpine:3.22 runtime) produces a small (~17 MB) image that bundles the nft(8) CLI nftui shells out to at runtime; the version string is injectable via --build-arg VERSION=<tag> into the same -ldflags '-X main.version=…' used by the other release paths (defaults to dev). Because nftui manages the host ruleset, the container is run with --network host --cap-add NET_ADMIN and an interactive TTY. A docker-compose.yml wires the same options up (docker compose run --rm nftui), and a .dockerignore keeps the build context to the Go sources + man page. Verified locally: image builds, nftui --version prints the injected string, the bundled nft resolves, and docker compose config validates. New README "Docker" installation subsection. This was previously a declined packaging candidate; reconsidered and added at the user's request.