feat: add NixOS deployment infrastructure

- Nix installation guide for container (docs/nix-container-install.md)
- Deployment helper script (scripts/deploy.sh)
- SSH configuration template (scripts/deploy-ssh-config)
- Deployment skill for Hermes (skills/nixos-deploy/)

Enables remote NixOS deployment from Hermes container to target hosts
via SSH with nixos-rebuild --target-host.

Usage:
  ./scripts/deploy.sh <hostname> [branch] [action]

Supported hosts:
  - lazyworkhorse (x86_64)
  - cyt-pi (aarch64)
  - uConsole (aarch64) - config pending

docs/nix-container-install.md

@@ -0,0 +1,32 @@
+# Nix Installation for Hermes Agent Container
+# Add these lines to the Dockerfile to bake Nix into the container image
+
+# --- ADD AFTER BASE IMAGE AND BEFORE USER SETUP ---
+
+# Install Nix (Determinate Systems installer)
+# This provides nix, nixos-rebuild, and the Nix package manager
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    xz-utils \
+    && rm -rf /var/lib/apt/lists/*
+
+# Download and run Nix installer (non-interactive)
+RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix \
+    -o /tmp/nix-install.sh \
+    && chmod +x /tmp/nix-install.sh \
+    && sh /tmp/nix-install.sh install --no-confirm \
+    && rm /tmp/nix-install.sh
+
+# Configure Nix for flakes
+RUN mkdir -p /root/.config/nix \
+    && echo 'experimental-features = nix-command flakes' > /root/.config/nix/nix.conf \
+    && echo 'substituters = https://cache.nixos.org/' >> /root/.config/nix/nix.conf
+
+# Add Nix to PATH for all users
+ENV PATH="/nix/var/nix/profiles/default/bin:$PATH"
+
+# Optional: Expose Nix daemon socket if you want to use host's Nix (less secure)
+# VOLUME ["/nix/store"]
+# Note: Not recommended for security - builds run in container instead
+
+# --- CONTINUE WITH EXISTENT DOCKERFILE ---

scripts/deploy-ssh-config

@@ -0,0 +1,30 @@
+# Hermes Container SSH Configuration
+# For NixOS deployment to remote hosts
+
+Host lazyworkhorse
+    HostName localhost
+    User gortium
+    IdentityFile /opt/data/home/.ssh/id_hermes_gitea
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+
+Host cyt-pi
+    HostName cyt-pi.local
+    User thierry
+    IdentityFile /opt/data/home/.ssh/id_hermes_gitea
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+
+Host uconsole
+    HostName uconsole.local
+    User thierry
+    IdentityFile /opt/data/home/.ssh/id_hermes_gitea
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+
+# Generic pattern for .local hosts
+Host *.local
+    User thierry
+    IdentityFile /opt/data/home/.ssh/id_hermes_gitea
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null

scripts/deploy.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# NixOS Deployment Helper Script
+# Usage: ./deploy.sh <hostname> [branch] [action]
+# Example: ./deploy.sh uConsole feat/test switch
+
+set -e
+
+HOSTNAME="${1:-}"
+BRANCH="${2:-main}"
+ACTION="${3:-switch}"
+
+if [ -z "$HOSTNAME" ]; then
+    echo "Usage: $0 <hostname> [branch] [action]"
+    echo "  hostname: lazyworkhorse, cyt-pi, uConsole"
+    echo "  branch:   git branch to deploy (default: main)"
+    echo "  action:   switch, test, boot (default: switch)"
+    exit 1
+fi
+
+# Environment setup
+export GIT_SSH_COMMAND="ssh -i /opt/data/home/.ssh/id_hermes_gitea -o StrictHostKeyChecking=no"
+export PATH="/nix/var/nix/profiles/default/bin:$PATH"
+
+cd /opt/data/infra
+
+echo "=== NixOS Deployment ==="
+echo "Host:   $HOSTNAME"
+echo "Branch: $BRANCH"
+echo "Action: $ACTION"
+echo ""
+
+# Checkout branch
+echo "[1/4] Checking out branch..."
+git fetch origin "$BRANCH" 2>/dev/null || true
+git checkout "$BRANCH" 2>/dev/null || git checkout -b "$BRANCH"
+
+# Update submodules
+echo "[2/4] Updating submodules..."
+git submodule update --init --recursive
+
+# Build configuration
+echo "[3/4] Building configuration..."
+if [ "$ACTION" = "switch" ]; then
+    nixos-rebuild switch --flake ".#$HOSTNAME" --target-host "thierry@$HOSTNAME" --use-remote-sudo
+elif [ "$ACTION" = "test" ]; then
+    nixos-rebuild test --flake ".#$HOSTNAME" --target-host "thierry@$HOSTNAME" --use-remote-sudo
+elif [ "$ACTION" = "boot" ]; then
+    nixos-rebuild boot --flake ".#$HOSTNAME" --target-host "thierry@$HOSTNAME" --use-remote-sudo
+else
+    echo "Unknown action: $ACTION"
+    exit 1
+fi
+
+echo ""
+echo "[4/4] Deployment complete!"
+echo "Host: $HOSTNAME"
+echo "Branch: $BRANCH"
+echo "Time: $(date -Iseconds)"