nix-cache02: add homelab-deploy builder service

- Configure builder to build nixos-servers and nixos (gunter) repos
- Add builder NKey to Vault secrets
- Update NATS permissions for builder, test-deployer, and admin-deployer
- Grant nix-cache02 access to shared homelab-deploy secrets

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/hosts-generated.tf

@@ -36,6 +36,7 @@ locals {
     "nix-cache02" = {
       paths = [
         "secret/data/hosts/nix-cache02/*",
+        "secret/data/shared/homelab-deploy/*",
       ]
     }
   

terraform/vault/secrets.tf

@@ -103,6 +103,11 @@ locals {
       data          = { nkey = var.homelab_deploy_admin_deployer_nkey }
     }
 
+    "shared/homelab-deploy/builder-nkey" = {
+      auto_generate = false
+      data          = { nkey = var.homelab_deploy_builder_nkey }
+    }
+
     # Kanidm idm_admin password
     "kanidm/idm-admin-password" = {
       auto_generate   = true

terraform/vault/variables.tf

@@ -73,6 +73,13 @@ variable "homelab_deploy_admin_deployer_nkey" {
   sensitive   = true
 }
 
+variable "homelab_deploy_builder_nkey" {
+  description = "NKey seed for homelab-deploy builder"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+
 variable "nixos_exporter_nkey" {
   description = "NKey seed for nixos-exporter NATS authentication"
   type        = string