feat(nixos): physical-host services — power, bluetooth, OOM, firmware

- thermald on the x86 hosts (guarded; the Asahi MBP self-governs).
- T400 battery charge thresholds (75/80) via tp_smapi; tlp itself comes
  from the nixos-hardware profile.
- Bluetooth (bluez + powerOnBoot) and blueman on the laptops — the MBP
  already loads Apple BT firmware but bluez was never running.
- earlyoom + fwupd on the physical graphical hosts; zram on the Mac Pro.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

system/modules/workstation.nix

@@ -5,12 +5,16 @@
 # The bootloader is NOT set here -- it is firmware-specific, not form-factor:
 # UEFI hosts (MBP, Mac Pro 3,1) use systemd-boot, the BIOS-only T400 uses GRUB.
 # Each machine config declares its own.
-{ ... }:
+{ lib, pkgs, ... }:
 {
   features.swayDesktop.enable = true;
 
   console.keyMap = "dvorak";
 
+  # Intel thermal management. x86 only -- the Asahi MBP governs its own SoC
+  # thermals, and thermald is an Intel-platform daemon.
+  services.thermald.enable = lib.mkIf pkgs.stdenv.hostPlatform.isx86_64 true;
+
   # Default-deny inbound. Hosts that run a listening service open their own
   # ports next to where the service is enabled (e.g. sshd -> 22 on X1).
   networking.firewall.enable = true;
@@ -20,6 +24,14 @@
   services.fstrim.enable = true;
   boot.tmp.cleanOnBoot = true;
 
+  # Userspace OOM killer: act on memory pressure early instead of letting the
+  # kernel OOM-thrash. Matters on the 4 GiB T400 and the elderly Mac Pro.
+  services.earlyoom.enable = true;
+
+  # Firmware updates via LVFS. No-op on the Asahi MBP (Apple-managed firmware),
+  # useful for UEFI/SSD updates on the x86 hosts.
+  services.fwupd.enable = true;
+
   # Audio. PipeWire with the PulseAudio shim covers every graphical host; no
   # per-machine audio config is needed.
   services.pipewire = {