Add Incus container support to sandboxed workspaces

- Add incus.nix module for fully declarative Incus/LXC containers
- Build NixOS LXC images using nixpkgs.lib.nixosSystem
- Ephemeral containers: recreated on each start, cleaned up on stop
- Use flock to serialize concurrent container operations
- Deterministic MAC addresses via lib.mkMac to prevent ARP cache issues
- Add veth* to NetworkManager unmanaged interfaces
- Update CLAUDE.md with coding conventions and shared lib docs

machines/fry/workspaces/test-container.nix

@@ -4,7 +4,7 @@
 #
 # Add to sandboxed-workspace.workspaces in machines/fry/default.nix:
 #   sandboxed-workspace.workspaces.test-container = {
-#     type = "container";
+#     type = "container" OR "incus";
 #     config = ./workspaces/test-container.nix;
 #     ip = "192.168.83.50";
 #   };