feat(nixos): disk hygiene, dedupe shared options, fix MacPro docs

- common-nixos: nix.settings.auto-optimise-store + larger download buffer.
- workstation: fstrim, boot.tmp.cleanOnBoot, and the shared graphical
  options moved here from the per-host configs (pipewire, swaylock PAM
  stub, redistributable firmware) -- MBP-Asahi gains audio it lacked.
- T400: zramSwap for the low-RAM host.
- MBP-Asahi: nixos-apple-silicon binary cache substituter.
- MacPro31 README: describe the real (LVM/UUID) hardware config; it is no
  longer a placeholder.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

system/machine/T400/configuration.nix

@@ -18,25 +18,18 @@
 
   console.font = "Lat2-Terminus16";
 
-  services.pipewire = {
-    enable = true;
-    pulse.enable = true;
-  };
+  # Low-RAM host (4 GiB max): a compressed RAM swap reduces disk paging.
+  zramSwap.enable = true;
 
   # This host accepts SSH, so open 22 (the firewall itself is enabled in
   # laptop.nix with a default-deny policy).
   services.openssh.enable = true;
   networking.firewall.allowedTCPPorts = [ 22 ];
 
-  # The T400's fingerprint reader differs/may be absent; empty service still
-  # lets swaylock authenticate via password.
-  security.pam.services.swaylock = { };
-
-  # Intel Core 2 (Penryn) microcode + redistributable firmware. The latter also
-  # supplies the iwlwifi blobs (Intel WiFi Link 5100/5300) and the radeon
-  # firmware needed by the discrete GPU below.
+  # Intel Core 2 (Penryn) microcode. Redistributable firmware (enabled in
+  # workstation.nix) supplies the iwlwifi blobs (Intel WiFi Link 5100/5300) and
+  # the radeon firmware needed by the discrete GPU below.
   hardware.cpu.intel.updateMicrocode = true;
-  hardware.enableRedistributableFirmware = true;
 
   # This T400 has the optional discrete GPU fitted: an ATI Mobility Radeon HD
   # 3470 (RV620), driven by the open `radeon` KMS driver. Load it in the initrd