feat(k3s-node): Add k3s-node role and enable on john-endesktop

Add reusable k3s-node role with configurable options for server/agent
modes. Configure john-endesktop as a k3s agent joining the cluster at
10.0.0.222.

Role supports:
- Server or agent role selection
- Configurable server address and token file
- Graceful node shutdown
- Optional firewall port opening
- Cluster initialization for first server

Note: NixOS nodes must be labeled with `k3s-upgrade=disabled` to exclude
them from the system-upgrade-controller, since NixOS manages k3s upgrades
through Nix rather than in-place binary replacement.

machines/john-endesktop/configuration.nix

@@ -104,6 +104,14 @@ with lib;
   # User configuration
   roles.users.enable = true;
 
+  # k3s agent configuration
+  roles.k3s-node = {
+    enable = true;
+    role = "agent";
+    # serverAddr defaults to https://10.0.0.222:6443
+    # tokenFile defaults to /etc/k3s/token
+  };
+
   # Time zone
   time.timeZone = "America/Los_Angeles"; # Adjust as needed