system: enable homelab-deploy listener for all vault hosts

Add system/homelab-deploy.nix module that automatically enables the
listener on all hosts with vault.enable=true. Uses homelab.host.tier
and homelab.host.role for NATS subject subscriptions.

- Add homelab-deploy access to all host AppRole policies
- Remove manual listener config from vaulttest01 (now handled by system module)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

hosts/vaulttest01/configuration.nix

@@ -101,28 +101,6 @@ in
     services = [ "vault-test" ];
   };
 
-  # Homelab-deploy listener NKey
-  vault.secrets.homelab-deploy-nkey = {
-    secretPath = "shared/homelab-deploy/listener-nkey";
-    extractKey = "nkey";
-  };
-
-  # Enable homelab-deploy listener
-  services.homelab-deploy.listener = {
-    enable = true;
-    tier = "test";
-    role = "vault";
-    natsUrl = "nats://nats1.home.2rjus.net:4222";
-    nkeyFile = "/run/secrets/homelab-deploy-nkey";
-    flakeUrl = "git+https://git.t-juice.club/torjus/nixos-servers.git";
-  };
-
-  # Ensure listener starts after vault secret is available
-  systemd.services.homelab-deploy-listener = {
-    after = [ "vault-secret-homelab-deploy-nkey.service" ];
-    requires = [ "vault-secret-homelab-deploy-nkey.service" ];
-  };
-
   # Create a test service that uses the secret
   systemd.services.vault-test = {
     description = "Test Vault secret fetching";