add Nix toolchain + bump Go to 1.25.9

Two coupled changes:

1. Add a single-user Nix install at section 19.5 so the container can
   `nix develop` / `nix run` / `nix build` for the Cardano smart-
   contract toolchain stack (Plutarch, plutus-core, Liqwid Agora's
   `agora-scripts` exporter — all ship as IOG haskell-nix flakes
   with pinned GHC). Without Nix, building any of those is a manual-
   version-pinning fight.

   Single-user mode (no daemon), sandbox=false (containers can't nest
   sandboxes cleanly), flakes + nix-command experimental features
   enabled. /nix is owned by `crafter` and bind-mounted from
   /mnt/user/appdata/crafting-table/nix in compose so the multi-GB
   haskell-nix downloads survive container rebuilds.

2. Bump GO_VERSION 1.22.10 → 1.25.9. govulncheck@latest (v1.3.0) and
   staticcheck@latest (v0.7.0) both now require Go ≥ 1.25 — building
   with 1.22 hits "requires go >= 1.25.0" and the per-step retry loop
   exhausts. Go's auto-toolchain-switch tries to download 1.25.9 on
   the fly but staticcheck's parent build then runs in 1.22 and
   re-fails. Pinning to 1.25.9 (current Go release) sidesteps the
   wedge.

PATH bump: prepend /home/crafter/.nix-profile/bin so nix-installed
binaries (cabal, ghc inside dev shells, cardano-cli, etc) take
precedence over system tooling without per-recipe prefixing.

Build invocation unchanged — nothing required at the docker run /
docker compose layer beyond the new /nix bind mount in compose.yml.

compose.yml

@@ -35,6 +35,9 @@ services:
       - /mnt/user/appdata/crafting-table/data:/data
       - /mnt/user/appdata/crafting-table/workspace:/workspace
       - /mnt/user/appdata/crafting-table/caches:/caches
+      # Nix store — persists haskell-nix downloads (multi-GB Plutarch /
+      # IOG flake closures) across container rebuilds.
+      - /mnt/user/appdata/crafting-table/nix:/nix
     networks: [sulkta]
     restart: unless-stopped