Add mcp-master systemd service

Runs the MCP v2 master as a systemd service on rift. Uses
ConditionPathExists so the unit is a no-op on worker nodes
(like orion) that import mcp.nix but don't have the binary.

Starts after mcp-agent.service. Security hardened like the agent
but with ProtectHome=true (master doesn't need /run/user).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

configs/mcp.nix

@@ -22,6 +22,41 @@ in
 
   users.groups.mcp = {};
 
+  # MCP Master — multi-node orchestrator (v2).
+  # Runs on the master node only (rift). Coordinates deployments across
+  # agents, manages edge routing, and maintains cluster state.
+  # Uses ExecStartPre to skip startup if the binary is absent (safe on
+  # worker nodes that import this module but don't run the master).
+  systemd.services.mcp-master = {
+    description = "MCP Master";
+    after = [ "network-online.target" "mcp-agent.service" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    unitConfig = {
+      ConditionPathExists = "/srv/mcp-master/mcp-master";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "/srv/mcp-master/mcp-master server --config /srv/mcp-master/mcp-master.toml";
+      Restart = "on-failure";
+      RestartSec = 5;
+
+      NoNewPrivileges = true;
+      ProtectSystem = "full";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      RestrictSUIDSGID = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      ReadWritePaths = [ "/srv/mcp-master" ];
+    };
+  };
+
   systemd.services.mcp-agent = {
     description = "MCP Agent";
     after = [ "network-online.target" ];