feat(clan): data-mesher + dm-pull-deploy wiring 🌊

Stage 4e-a of the clan migration. Set up signed-file gossip
(data-mesher, experimental, clan-core) and pull-based NixOS deploy
(dm-pull-deploy, experimental, clan-community) across both servers.

- sunken-ship is the data-mesher bootstrap node + dm-pull-deploy push
  role; phantom-ship joins via /dns/sunken-ship.clan/tcp/7946/... — the
  hostname resolves via /etc/hosts (clanHostsModule) to sunken-ship's
  ZT IPv6 since we don't run a DNS server for the clan domain.
- Both machines run the dm-pull-deploy default role with
  action="switch": they watch /var/lib/data-mesher/files/home/
  dm_pull_deploy/target and nixos-rebuild switch against the pushed
  git+…?rev=…&narHash=… flake ref on each change.
- Signing keys (shared + per-host status) generated via clan vars
  generate, ran on sunken-ship because data-mesher isn't packaged for
  aarch64-darwin.

The legacy dotfiles-rebuild timer stays installed as a fallback until
dm-pull-deploy is proven; a smart push timer on sunken-ship (calls
dm-send-deploy only when origin/main moves) comes next.

vars/shared/dm-pull-deploy-signing-key/signing.key/machines/sunken-ship

@@ -0,0 +1 @@
+../../../../../sops/machines/sunken-ship

vars/shared/dm-pull-deploy-signing-key/signing.key/secret

@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:33EcsUpW/KKNFdpPihdj3Mv5hMEo3lBYNOzRe43H1SH/tpwy5dLGl2FR0KGavOyoBwWf8tL6E3rp2gSm0pt4mGCq4FpMZaa/D4rZ6WWpwNTuNFKUH4uGVs6vRULI6G5yMorzp91TAv2E3yoh6mOKcMdlvqr6K2A=,iv:UR8xtdl6iYCVH4EueD9HyL4BprBJPw9A1KBtPX41uAI=,tag:0c/LO8ggYvHiowTJTe0LdQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGRpaFBzYmJBZ092MnJw\nbXIremlST3k5UVY4ZkQ1SVc5amNjbjhTRng0CnYySmZ5Ym8xR09yOUhwVXoyM0tL\nTE9OaElDSXFUUG83dkhFVVlkTUxCb2MKLS0tIHM0WkovcGkvUW9OazZncFhsYTVN\nTnByV3QzeURhdUlyL3FJclpDL1J2T1kKMpSf2lxaEbOl9rcYixFkQoaL4fS0LLz+\nqtCzpbChDgsUZ4aAMowIgPVpH1es4WA412MTmmrhbznNXIdHxnZ40w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiNTA4cHZjaVdtVllkcmo1\nVlFuWVk3eEpNTWtTVUQvNy8yTGF0NkNjc0dJCjlMcm5taWt4R3g4eklIQ3hlY1ow\nK2dsaUMvTU84VkJOVG1uRTJBbDJ0WkEKLS0tIDgyNjZtU3VyNHlianAxcFY5Q0Ra\nU2pHQzd0Y3dUc1VSNDZuZ2RXem1qVkkK0iK/h8nLWZnDbXSNSXh1133Sctia5qsJ\nTsgRZt8amU8IxMF6IlgTQ0voEu5HJbKWzWqrD1tpab1dRil8+b6ljg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-04-20T09:37:03Z",
+		"mac": "ENC[AES256_GCM,data:X/IjodUnCLcNfK251jkUuDU7YO5LXuau6zo5Aef7rX2XVsAFSUT4n+62RX8U4zNturCPkbInb3kUHVr+mCPgIG7k2GHRKZIFu0tbdb8aJlgg2IZ3Zswkd8yiRpqWygV/9rYGKpn58X7czj2aM1ydXr98qKUy8xgKcskB6CgN00E=,iv:2pjNT1o0QdwFRFKq4cTK3lDse652B58tMDHob9ppdM8=,tag:pxQLadQe5OfXscuKeHOa1w==,type:str]",
+		"version": "3.12.2"
+	}
+}

vars/shared/dm-pull-deploy-signing-key/signing.key/users/danny

@@ -0,0 +1 @@
+../../../../../sops/users/danny

vars/shared/dm-pull-deploy-signing-key/signing.pub/value

@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAu7f60z9GVfxiyIJRmH3zlz6QBF/nDzICHHGUcAgUd0M=
+-----END PUBLIC KEY-----