feat(nixos): disk hygiene, dedupe shared options, fix MacPro docs

- common-nixos: nix.settings.auto-optimise-store + larger download buffer.
- workstation: fstrim, boot.tmp.cleanOnBoot, and the shared graphical
  options moved here from the per-host configs (pipewire, swaylock PAM
  stub, redistributable firmware) -- MBP-Asahi gains audio it lacked.
- T400: zramSwap for the low-RAM host.
- MBP-Asahi: nixos-apple-silicon binary cache substituter.
- MacPro31 README: describe the real (LVM/UUID) hardware config; it is no
  longer a placeholder.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

system/machine/T400/README.md

@@ -15,11 +15,11 @@ install time or swap in the generated UUIDs.
 `configuration.nix` imports exactly one boot module. Default is `boot-bios.nix`;
 switch by commenting it out and uncommenting the relevant alternative.
 
-| Firmware | Module | Notes |
-| --- | --- | --- |
-| Stock Lenovo BIOS, or coreboot + **SeaBIOS** payload | `boot-bios.nix` | GRUB on the MBR. Set `device` to the real install disk (`/dev/sda` by default). MBR/legacy layout. |
-| coreboot + **GRUB** payload | `boot-coreboot-grub.nix` | GRUB is config-only (`device = "nodev"`); NixOS does **not** write to a disk. Your coreboot `grub.cfg` (in the flash chip) must `search` for and `configfile` the on-disk `/boot/grub/grub.cfg`, or chainload the disk's GRUB. |
-| coreboot + **Tianocore/edk2 (UEFI)** payload | `boot-coreboot-uefi.nix` | systemd-boot. `canTouchEfiVariables = true` (coreboot honours NVRAM writes). The module **declares its own ESP** (`/boot` vfat, label `ESP`) — when you regenerate `hardware-configuration.nix`, do **not** let it also define `/boot`. Create + label an `ESP` vfat partition (GPT). |
+| Firmware                                             | Module                   | Notes                                                                                                                                                                                                                                                                                 |
+| ---------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Stock Lenovo BIOS, or coreboot + **SeaBIOS** payload | `boot-bios.nix`          | GRUB on the MBR. Set `device` to the real install disk (`/dev/sda` by default). MBR/legacy layout.                                                                                                                                                                                    |
+| coreboot + **GRUB** payload                          | `boot-coreboot-grub.nix` | GRUB is config-only (`device = "nodev"`); NixOS does **not** write to a disk. Your coreboot `grub.cfg` (in the flash chip) must `search` for and `configfile` the on-disk `/boot/grub/grub.cfg`, or chainload the disk's GRUB.                                                        |
+| coreboot + **Tianocore/edk2 (UEFI)** payload         | `boot-coreboot-uefi.nix` | systemd-boot. `canTouchEfiVariables = true` (coreboot honours NVRAM writes). The module **declares its own ESP** (`/boot` vfat, label `ESP`) — when you regenerate `hardware-configuration.nix`, do **not** let it also define `/boot`. Create + label an `ESP` vfat partition (GPT). |
 
 ## Graphics
 

system/machine/T400/configuration.nix

@@ -18,25 +18,18 @@
 
   console.font = "Lat2-Terminus16";
 
-  services.pipewire = {
-    enable = true;
-    pulse.enable = true;
-  };
+  # Low-RAM host (4 GiB max): a compressed RAM swap reduces disk paging.
+  zramSwap.enable = true;
 
   # This host accepts SSH, so open 22 (the firewall itself is enabled in
   # laptop.nix with a default-deny policy).
   services.openssh.enable = true;
   networking.firewall.allowedTCPPorts = [ 22 ];
 
-  # The T400's fingerprint reader differs/may be absent; empty service still
-  # lets swaylock authenticate via password.
-  security.pam.services.swaylock = { };
-
-  # Intel Core 2 (Penryn) microcode + redistributable firmware. The latter also
-  # supplies the iwlwifi blobs (Intel WiFi Link 5100/5300) and the radeon
-  # firmware needed by the discrete GPU below.
+  # Intel Core 2 (Penryn) microcode. Redistributable firmware (enabled in
+  # workstation.nix) supplies the iwlwifi blobs (Intel WiFi Link 5100/5300) and
+  # the radeon firmware needed by the discrete GPU below.
   hardware.cpu.intel.updateMicrocode = true;
-  hardware.enableRedistributableFirmware = true;
 
   # This T400 has the optional discrete GPU fitted: an ATI Mobility Radeon HD
   # 3470 (RV620), driven by the open `radeon` KMS driver. Load it in the initrd