fix: add writable cache directory for nix git flake fetching

The listener service had ProtectHome=read-only which prevented Nix
from writing to /root/.cache when fetching git flakes. This adds a
CacheDirectory managed by systemd and sets XDG_CACHE_HOME to use it.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

nixos/module.nix

@@ -103,11 +103,15 @@ in
       after = [ "network-online.target" ];
       wants = [ "network-online.target" ];
 
-      environment = cfg.environment;
+      environment = cfg.environment // {
+        # Nix needs a writable cache for git flake fetching
+        XDG_CACHE_HOME = "/var/cache/homelab-deploy";
+      };
 
       path = [ pkgs.git config.system.build.nixos-rebuild ];
 
       serviceConfig = {
+        CacheDirectory = "homelab-deploy";
         Type = "simple";
         ExecStart = "${cfg.package}/bin/homelab-deploy listener ${args}";
         Restart = "always";