nix: enable ca-derivations + IOG/MLabs caches at install time

Two coupled fixes in section 19.5 of the Dockerfile:

1. Add ca-derivations to experimental-features. Without it, the
   SQLite store is initialized at schema v10 (no Realisations
   table). Plutarch / Liqwid Agora / IOG flakes request
   ca-derivations via nixConfig; first realisation query then
   crashes with `Assertion 'stmt.stmt' failed in nix::SQLiteStmt::
   Use::Use(SQLiteStmt&)`. Pre-enabling at install time means
   store init creates schema v11 with the table. Self-inflicted
   wound caught in the first nix develop attempt against
   github:Liqwid-Labs/agora.

2. Add cache.iog.io + mlabs.cachix.org as substituters with their
   public keys. Without these, every Cardano/Plutarch dep gets
   built from source — hours of GHC compile vs minutes of binary
   cache pull.

Also: write nix.conf BEFORE running the Nix install script,
because the installer reads the user's nix.conf during init to
decide schema. Order-dependent.

accept-flake-config = true so flake nixConfig blocks (which add
their own substituters / experimental features) work without
re-prompting per command.

Dockerfile

@@ -290,21 +290,37 @@ ENV PATH=/home/crafter/.composer/vendor/bin:$PATH
 # a manual-version-pinning fight against the IOG snapshot.
 #
 # Single-user install at /nix, no daemon. Sandbox disabled — nested
-# sandboxes don't work cleanly under Docker. Flakes + nix-command
-# enabled by default.
+# sandboxes don't work cleanly under Docker. Flakes + nix-command +
+# ca-derivations enabled at install time so the SQLite store is
+# initialized with the Realisations schema. Without ca-derivations
+# pre-enabled, store schema is v10 (no Realisations table); flakes
+# that request ca-derivations via nixConfig (Plutarch / Liqwid Agora
+# / IOG Hydra cache, etc) crash on first realisation query with
+# `Assertion 'stmt.stmt' failed in nix::SQLiteStmt::Use::Use`.
 #
-# Cache: bind-mount `/nix` at runtime (compose.yml ships this) so the
+# Substituters: cache.nixos.org (default) + cache.iog.io (IOG Hydra
+# binary cache for Plutarch + Cardano + Haskell.nix closure) +
+# mlabs.cachix.org (MLabs builds — used by Liqwid stack).
+# trusted-substituters lets the user accept new substituters via
+# accept-flake-config without re-confirmation.
+#
+# Cache: /nix is a Docker-managed named volume in compose.yml so the
 # multi-GB haskell-nix downloads persist across container rebuilds.
 USER root
 RUN mkdir -m 0755 /nix && chown crafter:crafter /nix
 USER crafter
 WORKDIR /home/crafter
-RUN curl -fsSL https://nixos.org/nix/install -o /tmp/install-nix.sh \
+RUN mkdir -p /home/crafter/.config/nix \
+    && printf '%s\n' \
+        'experimental-features = nix-command flakes ca-derivations' \
+        'sandbox = false' \
+        'accept-flake-config = true' \
+        'substituters = https://cache.nixos.org https://cache.iog.io https://mlabs.cachix.org' \
+        'trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=' \
+        > /home/crafter/.config/nix/nix.conf \
+    && curl -fsSL https://nixos.org/nix/install -o /tmp/install-nix.sh \
     && sh /tmp/install-nix.sh --no-daemon --no-channel-add --no-modify-profile \
-    && rm /tmp/install-nix.sh \
-    && mkdir -p /home/crafter/.config/nix \
-    && printf 'experimental-features = nix-command flakes\nsandbox = false\n' \
-       > /home/crafter/.config/nix/nix.conf
+    && rm /tmp/install-nix.sh
 ENV PATH=/home/crafter/.nix-profile/bin:$PATH
 
 # ============================================================