Add automatic local subnet detection for systemd service

Problem:
- Hardcoded IPAddressAllow=192.168.1.0/24 prevented users on different
  subnets (10.0.0.x, 192.168.0.x, 172.16.x.x) from connecting to Pi
- Service would install successfully but SSH connections would fail silently

Solution:
- Add %LOCAL_SUBNET% placeholder to service template
- Auto-detect local subnet in install_service.sh using multiple methods:
  1. Parse default gateway from `ip route`
  2. Fallback: Detect from primary interface IP
  3. Final fallback: Use 192.168.1.0/24 with warning
- Display detected subnet during installation for transparency
- Provide manual override instructions if detection fails

This ensures the systemd network hardening works correctly across
different network configurations without manual editing.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: mlugo-apx

gcode-monitor.service

@@ -7,6 +7,7 @@
 #   %HOME_DIR% - Your home directory
 #   %PROJECT_DIR% - Pi-gcode-server installation directory
 #   %WATCH_DIR% - Directory to monitor for .gcode files
+#   %LOCAL_SUBNET% - Auto-detected local network subnet (e.g., 192.168.1.0/24)
 
 [Unit]
 Description=GCode File Monitor and Sync Service
@@ -34,7 +35,7 @@ TasksMax=20
 RestrictAddressFamilies=AF_INET AF_INET6
 IPAddressDeny=any
 IPAddressAllow=localhost
-IPAddressAllow=192.168.1.0/24
+IPAddressAllow=%LOCAL_SUBNET%
 
 # Filesystem protection (minimal access)
 NoNewPrivileges=true

install_service.sh

@@ -23,18 +23,48 @@ PROJECT_DIR="$SCRIPT_DIR"
 # Use WATCH_DIR from config, or default to Desktop
 WATCH_DIR="${WATCH_DIR:-$HOME/Desktop}"
 
+# Detect local subnet for systemd network restrictions
+# Try multiple methods to find the default gateway/subnet
+LOCAL_SUBNET=""
+if command -v ip >/dev/null 2>&1; then
+    # Method 1: Get default route gateway and derive subnet
+    DEFAULT_GW=$(ip route | grep default | awk '{print $3}' | head -n1)
+    if [ -n "$DEFAULT_GW" ]; then
+        # Convert gateway IP to subnet (e.g., 192.168.1.1 -> 192.168.1.0/24)
+        LOCAL_SUBNET=$(echo "$DEFAULT_GW" | sed 's/\.[0-9]*$/\.0\/24/')
+    fi
+fi
+
+# Fallback: If ip command failed, try to detect from primary interface
+if [ -z "$LOCAL_SUBNET" ] && command -v ip >/dev/null 2>&1; then
+    PRIMARY_IP=$(ip -4 addr show | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | grep -v '127.0.0.1' | head -n1)
+    if [ -n "$PRIMARY_IP" ]; then
+        LOCAL_SUBNET=$(echo "$PRIMARY_IP" | sed 's/\.[0-9]*$/\.0\/24/')
+    fi
+fi
+
+# Final fallback: Use common private network range
+if [ -z "$LOCAL_SUBNET" ]; then
+    echo "WARNING: Could not auto-detect local subnet. Using default 192.168.1.0/24"
+    echo "         If your network uses a different subnet, edit /etc/systemd/system/gcode-monitor.service"
+    echo "         and change the IPAddressAllow line, then run: sudo systemctl daemon-reload"
+    LOCAL_SUBNET="192.168.1.0/24"
+fi
+
 echo "Generating service file with your configuration..."
 echo "  User: $USERNAME"
 echo "  Home: $HOME_DIR"
 echo "  Project: $PROJECT_DIR"
 echo "  Watch Dir: $WATCH_DIR"
+echo "  Local Subnet: $LOCAL_SUBNET"
 echo
 
 # Generate service file from template
 sed -e "s|%USERNAME%|$USERNAME|g" \
     -e "s|%PROJECT_DIR%|$PROJECT_DIR|g" \
     -e "s|%HOME_DIR%|$HOME_DIR|g" \
     -e "s|%WATCH_DIR%|$WATCH_DIR|g" \
+    -e "s|%LOCAL_SUBNET%|$LOCAL_SUBNET|g" \
     "$SCRIPT_DIR/gcode-monitor.service" > /tmp/gcode-monitor.service
 
 echo "Installing gcode-monitor.service..."