Add mcp.nix: MCP agent system user with rootless podman

configs/mcp.nix

@@ -0,0 +1,21 @@
+# MCP (Metacircular Control Plane) agent user and configuration.
+#
+# Creates a dedicated 'mcp' system user with rootless podman support.
+# The agent runs as this user and manages containers for all platform
+# services via /srv/.
+{ pkgs, ... }:
+
+{
+  users.users.mcp = {
+    isSystemUser = true;
+    group = "mcp";
+    home = "/srv/mcp";
+    shell = pkgs.shadow; # nologin equivalent
+    subUidRanges = [{ startUid = 100000; count = 65536; }];
+    subGidRanges = [{ startGid = 100000; count = 65536; }];
+    # Lingering enables user services (podman) to run without an active login session.
+    linger = true;
+  };
+
+  users.groups.mcp = {};
+}