feat(nixos): nix-ld + nix-community cache + font coverage (base layer)

In common-nixos.nix (every NixOS host):
- programs.nix-ld for all hosts, not just WSL — foreign dynamic binaries
  (VS Code server, prebuilt toolchains) run on the dev boxes too. Removed
  the now-redundant per-host enable from the EDaaS config.
- nix-community.cachix.org substituter (merges with the Asahi cache).
- Noto sans + colour-emoji fonts and fontconfig defaultFonts mapping, so
  the WSL box (and anything asking fontconfig for "monospace") stops
  rendering tofu.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

system/machine/EDaaS/configuration.nix

@@ -58,7 +58,7 @@
   systemd.services.docker-desktop-proxy.script = lib.mkForce ''${config.wsl.wslConf.automount.root}/wsl/docker-desktop/docker-desktop-user-distro proxy --docker-desktop-root ${config.wsl.wslConf.automount.root}/wsl/docker-desktop "C:\Program Files\Docker\Docker\resources"'';
 
   features.swayDesktop.enable = false;
-  programs.nix-ld.enable = true;
+  # programs.nix-ld is enabled for all NixOS hosts in common-nixos.nix.
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It's perfectly fine and recommended to leave

system/modules/common-nixos.nix

@@ -13,6 +13,18 @@
   nix.settings.auto-optimise-store = true;
   nix.settings.download-buffer-size = 134217728; # 128 MiB
 
+  # Extra binary cache for the nix-community toolchain (home-manager, nixvim,
+  # treefmt, ...). Merges with any host-specific caches (e.g. the Asahi cache on
+  # the MBP) rather than replacing them.
+  nix.settings.substituters = [ "https://nix-community.cachix.org" ];
+  nix.settings.trusted-public-keys = [
+    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+  ];
+
+  # Run dynamically-linked foreign binaries (VS Code remote server, prebuilt
+  # toolchains, language-server downloads) on every NixOS host, not just WSL.
+  programs.nix-ld.enable = true;
+
   # Minimal system-level CLI available before the home-manager profile loads
   # (e.g. early boot / rescue). User-level tooling lives in home-manager.
   environment.systemPackages = with pkgs; [
@@ -20,9 +32,31 @@
     fastfetch
   ];
 
-  # Terminal font with powerline/Nerd glyphs. Installed on every host because
-  # the tmux statusline (which uses these glyphs) runs everywhere, not just on
-  # the Sway/graphical hosts. foot names it explicitly (home/sway.nix); the Mac
-  # installs it via the Darwin config.
-  fonts.packages = [ pkgs.nerd-fonts.jetbrains-mono ];
+  # Fonts on every host. The Nerd Font carries the powerline/Nerd glyphs the
+  # tmux statusline uses (foot names it explicitly in home/sway.nix); Noto sans +
+  # colour emoji prevent tofu in terminals/TUIs/Firefox -- important on the WSL
+  # box, which does not pull the graphical hosts' default Noto stack. The Mac
+  # installs the Nerd Font via the Darwin config.
+  fonts.packages = with pkgs; [
+    nerd-fonts.jetbrains-mono
+    noto-fonts
+    noto-fonts-color-emoji
+  ];
+  # Map the generic fontconfig families so anything asking for "monospace" gets
+  # the Nerd Font (with emoji fallback), not DejaVu.
+  fonts.fontconfig.defaultFonts = {
+    monospace = [
+      "JetBrainsMono Nerd Font"
+      "Noto Color Emoji"
+    ];
+    sansSerif = [
+      "Noto Sans"
+      "Noto Color Emoji"
+    ];
+    serif = [
+      "Noto Serif"
+      "Noto Color Emoji"
+    ];
+    emoji = [ "Noto Color Emoji" ];
+  };
 }