plan §9: infra bring-up = declarative idempotent reconciliation, not manual/run-once

Strengthen the idempotency guardrail: every infra piece (swarm, traefik recipe deploy,
drone, bridge, dashboard) is a systemd oneshot that re-runs each activation/boot and
converges to desired state (like swarm-init) — no manual post-steps, no run-once
sentinels. Goal: from-scratch install = clone + nixos-rebuild switch + preconditions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cc-ci-plan/plan.md

@@ -653,6 +653,13 @@ Each default stands until the Adversary or reality forces a change; record the c
 - **No mocks for the e2e stages.** D2 means real deploys. If something can't be tested for real,
   it's a finding, not a pass.
 - **Idempotent + reversible.** Anything done to the server must be re-derivable from the repo.
+  Infra bring-up is **declarative idempotent reconciliation in Nix** — not manual post-steps and not
+  run-once scripts. Each piece (swarm + `proxy` net, the traefik recipe deploy, Drone, the
+  comment-bridge, the dashboard) is a systemd **oneshot that re-runs on every activation/boot** and
+  *converges* to the desired state (inspect → act only if needed → no-op if already correct), like
+  `swarm-init`. **No `/var/lib/.bootstrapped`-style sentinels** (they don't self-heal drift). The
+  goal: a from-scratch install is `git clone` + `nixos-rebuild switch` + the operator preconditions
+  — `docs/install.md` must never accumulate manual post-rebuild steps.
 - **Stop on missing *external* infra inputs** (class-A1 in §4.4: cc-ci SSH/root access, the
   Tailscale auth key, Gitea bot creds, the pre-issued wildcard cert at `/var/lib/ci-certs/live/`,
   registry creds — and the preconfigured DNS/gateway facts) rather than improvising around them;