feat(clan): data-mesher + dm-pull-deploy wiring 🌊

Stage 4e-a of the clan migration. Set up signed-file gossip
(data-mesher, experimental, clan-core) and pull-based NixOS deploy
(dm-pull-deploy, experimental, clan-community) across both servers.

- sunken-ship is the data-mesher bootstrap node + dm-pull-deploy push
  role; phantom-ship joins via /dns/sunken-ship.clan/tcp/7946/... — the
  hostname resolves via /etc/hosts (clanHostsModule) to sunken-ship's
  ZT IPv6 since we don't run a DNS server for the clan domain.
- Both machines run the dm-pull-deploy default role with
  action="switch": they watch /var/lib/data-mesher/files/home/
  dm_pull_deploy/target and nixos-rebuild switch against the pushed
  git+…?rev=…&narHash=… flake ref on each change.
- Signing keys (shared + per-host status) generated via clan vars
  generate, ran on sunken-ship because data-mesher isn't packaged for
  aarch64-darwin.

The legacy dotfiles-rebuild timer stays installed as a fallback until
dm-pull-deploy is proven; a smart push timer on sunken-ship (calls
dm-send-deploy only when origin/main moves) comes next.

vars/per-machine/sunken-ship/data-mesher-node-identity/peer.id/value

@@ -0,0 +1 @@
+12D3KooWPeiEFGKFd58Q6CTbVyCmD5RMXJk7RtcuZfpsshYDxpmy