feat: systemd unit acties via podman-helper Unix socket

start/stop/restart van systemd units gaan nu via de host-helper
(/run/podman-helper.sock) in plaats van directe systemctl subprocess
vanuit de container. Hiermee wordt de user namespace isolatie omzeild
die D-Bus calls vanuit de container onbetrouwbaar maakt.

- common.py: _helper_call(action, unit) toegevoegd
- app_system.py: /{action}/{unit} route gebruikt helper voor start/stop/restart
- app_containers.py: container_action() gebruikt helper
- daemon-reload en is-active blijven subprocess (read-only, werkt al)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

control/app_system.py

@@ -3,6 +3,7 @@ import subprocess
 
 from fastapi import APIRouter, HTTPException
 from common import (
+    _helper_call,
     _podman_get_json as _common_podman_get_json,
     _systemctl as _common_systemctl,
     run,
@@ -93,7 +94,10 @@ def init_system_router(session, podman_api_base: str, workloads_dir: str) -> API
         if action not in ("status", "start", "stop", "restart"):
             raise HTTPException(status_code=400, detail="Invalid action")
         cmd = ["systemctl", "--user", action, unit]
-        code, out = _run_systemctl_action(action, unit)
+        if action in ("start", "stop", "restart"):
+            code, out = _helper_call(action, unit)
+        else:
+            code, out = _run_systemctl_action(action, unit)
         return {"cmd": " ".join(cmd), "exit": code, "output": out}
 
     return router