refactor(nix): promote remote-dev/ to nix/ with common/vm/host split

Restructures the Home-Manager profile to support both the Arch host and
the Ubuntu remote-dev VM from the same flake.

  - remote-dev/ → nix/ (hard rename; .chezmoiignore updated)
  - home.nix split into common.nix (shared), vm.nix (Mason runtime
    carve-outs + podman stack), host.nix (gpg scdaemon delegation to
    system pcscd)
  - flake.nix exposes homeConfigurations.{vm,host} via a mkProfile
    helper
  - rj alias in dot_zshrc updated to ~/.local/share/dotfiles/nix
  - bootstrap.sh / justfile updated to use #vm against the new path

The split is behaviour-preserving for the VM: vm.nix + common.nix
together carry the same package set as the previous home.nix.
host.nix is provisioned but not yet wired into bootstrap (phase p8).

Phase 1 of the nix-on-host migration plan.

1 files changed, 71 insertions, 0 deletions

diff --git a/nix/vm.nix b/nix/vm.nix
new file mode 100644
index 0000000..d003b6e
--- /dev/null
+++ b/nix/vm.nix
@@ -0,0 +1,71 @@
+{ config, pkgs, lib, dotfilesRoot, ... }:
+
+# VM-only Home-Manager profile (Ubuntu 22.04 remote-dev box). Adds
+# Mason-related runtime carve-outs and the rootless podman stack on
+# top of `common.nix`.
+
+{
+  imports = [ ./common.nix ];
+
+  home.username = builtins.getEnv "USER";
+  home.homeDirectory = builtins.getEnv "HOME";
+
+  home.sessionVariables = {
+    # Ubuntu 20.04-derived hosts still default to cgroups v1; podman 5
+    # warns on every invocation. Flipping to v2 is a host-level reboot
+    # and only matters for --memory/--cpus, so silence the warning.
+    PODMAN_IGNORE_CGROUPSV1_WARNING = "1";
+  };
+
+  home.packages = with pkgs; [
+    # ── Mason-driven LSP carve-outs (removed by phase p6 once Mason is
+    #    gone and LSPs come from common.nix directly). Kept here for
+    #    now so the VM keeps working between phases. ───────────────────────
+    jre                  # Mason's groovy-language-server (headless Java)
+    basedpyright         # Mason's pypi distro can't install on Ubuntu 20.04
+                         # (manylinux_2_28 wheels, uv's python rejects)
+    # Rust toolchain for Mason packages whose only install source is
+    # `cargo install` (shellharden). The Arch host has these via pacman;
+    # on the VM Mason needs cargo+rustc on PATH or it bails with ENOENT.
+    cargo
+    rustc
+
+    # ── Rootless podman ─────────────────────────────────────────────────────
+    # The nix `podman` is wrapped to find these helpers via /nix/store
+    # paths, so we don't need to write a containers.conf for
+    # `helper_binaries_dir`.
+    podman
+    crun         # OCI runtime (lighter than runc; default for rootless)
+    conmon       # container monitor process
+    netavark     # default network stack on podman 4+
+    aardvark-dns # DNS for netavark networks
+    slirp4netns  # rootless user-mode networking
+    passt        # pasta backend (slirp4netns successor; podman picks it up)
+  ];
+
+  # ── Rootless podman config ──────────────────────────────────────────────────
+  # Kept inline (not in the chezmoi tree) because Arch's system-wide
+  # /etc/containers defaults already work there; these files exist only
+  # to give nix's user-installed podman sane rootless defaults.
+  xdg.configFile."containers/registries.conf".text = ''
+    unqualified-search-registries = ["docker.io", "quay.io", "ghcr.io"]
+    short-name-mode = "permissive"
+  '';
+
+  xdg.configFile."containers/storage.conf".text = ''
+    [storage]
+    # runroot/graphroot default to $XDG_RUNTIME_DIR/containers and
+    # $XDG_DATA_HOME/containers/storage respectively for rootless — leave unset.
+    driver = "overlay"
+
+    [storage.options.overlay]
+    # Kernel >=5.13 supports rootless overlay natively (VM is on 5.15),
+    # so mount_program is left unset → uses the kernel driver directly
+    # instead of fuse-overlayfs.
+  '';
+
+  xdg.configFile."containers/policy.json".text = builtins.toJSON {
+    default = [ { type = "insecureAcceptAnything"; } ];
+    transports.docker-daemon."" = [ { type = "insecureAcceptAnything"; } ];
+  };
+}