feat: implement NATS-based NixOS deployment system

Implement the complete homelab-deploy system with three operational modes:

- Listener mode: Runs on NixOS hosts as a systemd service, subscribes to
  NATS subjects with configurable templates, executes nixos-rebuild on
  deployment requests with concurrency control

- MCP mode: MCP server exposing deploy, deploy_admin, and list_hosts
  tools for AI assistants with tiered access control

- CLI mode: Manual deployment commands with subject alias support via
  environment variables

Key components:
- internal/messages: Request/response types with validation
- internal/nats: Client wrapper with NKey authentication
- internal/deploy: Executor with timeout and lock for concurrency
- internal/listener: Subject template expansion and request handling
- internal/cli: Deploy logic with alias resolution
- internal/mcp: MCP server with mcp-go integration
- nixos/module.nix: NixOS module with hardened systemd service

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

internal/deploy/executor_test.go

@@ -0,0 +1,76 @@
+package deploy
+
+import (
+	"testing"
+	"time"
+
+	"git.t-juice.club/torjus/homelab-deploy/internal/messages"
+)
+
+func TestExecutor_BuildCommand(t *testing.T) {
+	tests := []struct {
+		name     string
+		flakeURL string
+		hostname string
+		action   messages.Action
+		revision string
+		want     string
+	}{
+		{
+			name:     "switch action",
+			flakeURL: "git+https://git.example.com/user/nixos-configs.git",
+			hostname: "ns1",
+			action:   messages.ActionSwitch,
+			revision: "master",
+			want:     "nixos-rebuild switch --flake git+https://git.example.com/user/nixos-configs.git?ref=master#ns1",
+		},
+		{
+			name:     "boot action with commit hash",
+			flakeURL: "git+https://git.example.com/user/nixos-configs.git",
+			hostname: "web1",
+			action:   messages.ActionBoot,
+			revision: "abc123def456",
+			want:     "nixos-rebuild boot --flake git+https://git.example.com/user/nixos-configs.git?ref=abc123def456#web1",
+		},
+		{
+			name:     "test action with feature branch",
+			flakeURL: "git+ssh://git@github.com/org/repo.git",
+			hostname: "test-host",
+			action:   messages.ActionTest,
+			revision: "feature/new-feature",
+			want:     "nixos-rebuild test --flake git+ssh://git@github.com/org/repo.git?ref=feature/new-feature#test-host",
+		},
+		{
+			name:     "dry-activate action",
+			flakeURL: "git+https://git.example.com/repo.git",
+			hostname: "prod-1",
+			action:   messages.ActionDryActivate,
+			revision: "v1.0.0",
+			want:     "nixos-rebuild dry-activate --flake git+https://git.example.com/repo.git?ref=v1.0.0#prod-1",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			e := NewExecutor(tc.flakeURL, tc.hostname, 10*time.Minute)
+			got := e.BuildCommand(tc.action, tc.revision)
+			if got != tc.want {
+				t.Errorf("BuildCommand() = %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestNewExecutor(t *testing.T) {
+	e := NewExecutor("git+https://example.com/repo.git", "host1", 5*time.Minute)
+
+	if e.flakeURL != "git+https://example.com/repo.git" {
+		t.Errorf("flakeURL = %q, want %q", e.flakeURL, "git+https://example.com/repo.git")
+	}
+	if e.hostname != "host1" {
+		t.Errorf("hostname = %q, want %q", e.hostname, "host1")
+	}
+	if e.timeout != 5*time.Minute {
+		t.Errorf("timeout = %v, want %v", e.timeout, 5*time.Minute)
+	}
+}