feat(nix): hybrid setup with flakes + direnv for per-project dev shells

Install Nix (multi-user daemon) on Arch and wire up direnv so any project
can declare its toolchain in a flake.nix and get a hermetic dev shell on
cd. No NixOS, no home-manager, no migration off paru/chezmoi — just one
new package manager scoped to project dev shells.

- meta/nix.txt: nix from extra repo
- meta/dev.txt: direnv (general-purpose, not nix-specific)
- systemd-units/system/nix.txt: nix-daemon.socket (socket-activated)
- etc/nix/nix.conf: enable flakes + nix-command, trusted-users=@wheel,
  auto-optimise-store, keep-outputs/derivations so direnv envs survive GC
- dot_config/direnv/direnvrc: load nix-direnv 3.1.1 via source_url with
  pinned sha256 (not packaged for Arch; refusing -git AUR)
- dot_config/nix/templates/{flake.nix,dev/}: flake template usable via
  'nix flake init -t ~/.config/nix/templates'
- dot_config/zsh/dot_zshrc: 'eval "$(direnv hook zsh)"'

1 files changed, 21 insertions, 0 deletions

diff --git a/etc/nix/nix.conf b/etc/nix/nix.conf
new file mode 100644
index 0000000..eb24511
--- /dev/null
+++ b/etc/nix/nix.conf
@@ -0,0 +1,21 @@
+# /etc/nix/nix.conf — daemon-wide Nix config.
+# Managed by chezmoi (etc/nix/nix.conf in dotfiles).
+
+# Enable `nix` CLI (vs legacy nix-* commands) and flakes.
+experimental-features = nix-command flakes
+
+# Wheel users may configure extra substituters / import paths without
+# the daemon prompting. Safe on a single-user laptop.
+trusted-users = root @wheel
+
+# Hard-link identical store paths to save disk after large builds.
+auto-optimise-store = true
+
+# Keep build outputs and derivations alive even when only referenced
+# from GC roots like direnv envs. Without these, `nix store gc` would
+# drop dev-shell deps and force a re-download next `cd` into a project.
+keep-outputs = true
+keep-derivations = true
+
+# Lift the default 64 MiB download buffer; reduces stalls on big closures.
+download-buffer-size = 524288000