fix: align VM boot disk and add Terraform safety workflows

Switch VM boot order/disks to scsi0 to match cloned NixOS template boot layout, add destroy guards to plan/apply workflows, and replace destroy workflow with a confirmed manual dispatch nuke flow that uses remote B2 state.

.gitea/workflows/terraform-apply.yml

@@ -47,11 +47,24 @@ jobs:
 
       - name: Terraform Plan
         working-directory: terraform
-        run: terraform plan
+        run: terraform plan -out=tfplan
+
+      - name: Block accidental destroy
+        env:
+          ALLOW_TF_DESTROY: ${{ secrets.ALLOW_TF_DESTROY }}
+        working-directory: terraform
+        run: |
+          terraform show -json tfplan > tfplan.json
+          DESTROY_COUNT=$(python3 -c 'import json; p=json.load(open("tfplan.json")); print(sum(1 for rc in p.get("resource_changes", []) if "delete" in rc.get("change", {}).get("actions", [])))')
+          echo "Planned deletes: $DESTROY_COUNT"
+          if [ "$DESTROY_COUNT" -gt 0 ] && [ "${ALLOW_TF_DESTROY}" != "true" ]; then
+            echo "Destroy actions detected. Set ALLOW_TF_DESTROY=true to allow."
+            exit 1
+          fi
 
       - name: Terraform Apply
         working-directory: terraform
-        run: terraform apply -auto-approve
+        run: terraform apply -auto-approve tfplan
 
       - name: Enroll VMs in Tailscale
         env: