feat: comprehensive NixOS deployment infrastructure

- docs/nix-container-install.md: 474-line guide covering Determinate Systems
  installer, vanilla Nix, NixOS base image, architecture notes (x86_64 vs aarch64),
  cross-compilation, container considerations, troubleshooting
- scripts/deploy.sh: 286-line deployment script with pre-flight checks, git sync,
  build validation (nix build --no-link), 5 actions (switch/boot/test/build/
  dry-activate), color-coded logging, env-based configurability
- scripts/deploy-ssh-config: SSH config for all 3 hosts with dual users for
  lazyworkhorse, reverse tunnel for cyt-pi, uConsole placeholder, Gitea entry

Full replacements of stub files from previous commit.

scripts/deploy-ssh-config

@@ -1,30 +1,63 @@
 # Hermes Container SSH Configuration
 # For NixOS deployment to remote hosts
+#
+# Usage:
+#   cp scripts/deploy-ssh-config ~/.ssh/config.d/hermes-include
+#   Or: cat scripts/deploy-ssh-config >> ~/.ssh/config
+#
+# This config covers all NixOS hosts managed from the Hermes container.
+# Lazyworkhorse has two users: ai-worker (primary automation) and gortium (admin).
+# Cyt-pi connects via reverse SSH tunnel on port 19999.
+# uConsole is a placeholder until LAN-hostname resolution is confirmed.
 
+# ── Global defaults ──────────────────────────────────────────────────
+Host *
+    ServerAliveInterval 60
+    ServerAliveCountMax 3
+    TCPKeepAlive yes
+    Compression yes
+    CompressionLevel 6
+    ControlMaster auto
+    ControlPath ~/.ssh/controlmasters/%r@%h:%p
+    ControlPersist 10m
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+
+# ── Hosts ──────────────────────────────────────────────────────────────
+
+# Lazyworkhorse — x86_64 main server (ai-worker@lazyworkhorse.net:2424)
 Host lazyworkhorse
+    HostName lazyworkhorse.net
+    User ai-worker
+    Port 2424
+    IdentityFile /opt/data/home/.ssh/id_hermes_gitea
+
+# Lazyworkhorse — admin access (gortium@lazyworkhorse.net:2425)
+Host lazyworkhorse-admin
+    HostName lazyworkhorse.net
+    User gortium
+    Port 2425
+    IdentityFile /opt/data/home/.ssh/id_hermes_gitea
+
+# Cyt-pi — aarch64 Pi Zero 2 W
+# Connected via reverse SSH tunnel (gortium directs tunnel to :19999)
+Host cyt-pi
     HostName localhost
     User gortium
+    Port 19999
     IdentityFile /opt/data/home/.ssh/id_hermes_gitea
-    StrictHostKeyChecking no
-    UserKnownHostsFile /dev/null
 
-Host cyt-pi
-    HostName cyt-pi.local
-    User thierry
+# uConsole — aarch64 ClockworkPi (placeholder hostname)
+# Replace uconsole.lan with actual IP/hostname when deployed
+Host uConsole uconsole
+    HostName uconsole.lan
+    User gortium
+    Port 22
     IdentityFile /opt/data/home/.ssh/id_hermes_gitea
-    StrictHostKeyChecking no
-    UserKnownHostsFile /dev/null
 
-Host uconsole
-    HostName uconsole.local
-    User thierry
+# ── Gitea host — for git operations ──────────────────────────────────
+Host code
+    HostName code.lazyworkhorse.net
+    Port 2222
+    User gortium
     IdentityFile /opt/data/home/.ssh/id_hermes_gitea
-    StrictHostKeyChecking no
-    UserKnownHostsFile /dev/null
-
-# Generic pattern for .local hosts
-Host *.local
-    User thierry
-    IdentityFile /opt/data/home/.ssh/id_hermes_gitea
-    StrictHostKeyChecking no
-    UserKnownHostsFile /dev/null