feat: initialize repo with NixOS and Home Manager configs

- Add .gitignore for common languages, tools, and OS/editor artifacts
- Configure .gitattributes for Git LFS (fonts, images, archives, ISOs)
- Add README with repo description
- Add flake.nix defining inputs and outputs for NixOS, Home Manager, and related modules
- Introduce home-manager configs:
  - Base home.nix with packages, services, and programs
  - Hyprland WM configuration (waybar, fuzzel, keybindings, theming)
  - Vim (nixvim) setup with LSP and plugins
  - Zsh setup with aliases, Oh My Zsh, clipboard helpers
  - Systemd user services (e.g., librespot)
- Add scripts (GPU monitor, RAM build helper, install automation)
- Add host configurations:
  - Nixbook (Apple laptop) with hardware, disko, and install script
  - Nixstation (desktop) with firewall, virtualization, Btrfs scrub timer
  - Nixtest (test VM) with QEMU + Alpine-based install test harness
  - Common modules (network, NVIDIA, rclone, screen, keychron, users)
- Include statix config for linting

hosts/common/default.nix

@@ -0,0 +1,64 @@
+{ config
+, inputs
+, lib
+, pkgs
+, ...
+}:
+{
+  imports = [ ./users/thiago/default.nix ];
+
+  boot.loader.systemd-boot.enable = true;
+  environment = {
+    shells = with pkgs; [ zsh ];
+    etc = lib.mapAttrs'
+      (name: value: {
+        name = "nix/path/${name}";
+        value.source = value.flake;
+      })
+      config.nix.registry;
+    systemPackages = with pkgs; [
+      exfat
+      file
+      gcsfuse
+      git
+      gnupg
+      home-manager
+      keymapp
+      opensc
+      pciutils
+      pcsc-safenet
+      pcsctools
+      pkcs11helper
+      sops
+      wget
+      zsa-udev-rules
+    ];
+  };
+  hardware.keyboard.zsa.enable = true;
+  networking.networkmanager.enable = true;
+  nix = {
+    registry = (lib.mapAttrs (_: flake: { inherit flake; })) (
+      (lib.filterAttrs (_: lib.isType "flake")) inputs
+    );
+
+    nixPath = [ "/etc/nix/path" ];
+
+    settings = {
+      experimental-features = "nix-command flakes";
+      auto-optimise-store = true;
+    };
+  };
+
+  nixpkgs.config.allowUnfree = true;
+  programs.zsh.enable = true;
+  services = {
+    pcscd.enable = true;
+    # xserver.displayManager.sessionCommands = 
+    #   "${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 64 = Alt_L'";
+
+  };
+  users.groups.scard = { };
+
+  time.timeZone = "America/Sao_Paulo";
+  users.defaultUserShell = pkgs.zsh;
+}

hosts/common/keychron.nix

@@ -0,0 +1,41 @@
+{ pkgs, ... }:
+
+{
+  services.xserver = {
+    enable = true;
+
+    xkb = {
+      layout = "custom-br";
+      variant = "";
+      model = "pc105";
+      extraLayouts = {
+        custom-br = {
+          description = "US Custom BR (apostrophe + c → ç)";
+          languages = [ "eng" ];
+          symbolsFile = pkgs.writeText "custom-br" ''
+            partial alphanumeric_keys
+            xkb_symbols "basic" {
+              include "us(altgr-intl)"
+              name[Group1]= "US Custom BR (apostrophe + c → ç)";
+
+              // Override the apostrophe key to be a fake dead key
+              key <AC10> {
+                type= "FOUR_LEVEL",
+                symbols[Group1]= [ dead_acute, dead_acute, dead_acute, dead_acute ]
+              };
+
+              // Redefine the c key to output ç when used after apostrophe
+              key <AC03> {
+                type= "ALPHABETIC",
+                symbols[Group1]= [ c, C, ccedilla, Ccedilla ]
+              
+              };
+              replace key <LALT> { [ Alt_L, Meta_L ] };
+
+            };
+          '';
+        };
+      };
+    };
+  };
+}

hosts/common/network.nix

@@ -0,0 +1,116 @@
+{ pkgs, ... }:
+{
+  networking = {
+    hostName = "Nixstation";
+    networkmanager.enable = true;
+
+    firewall = {
+      enable = true;
+      allowPing = true;
+      allowedTCPPorts = [
+        2375
+        4780
+        11470
+        25565
+      ];
+      allowedUDPPorts = [
+        8888
+        8899
+      ];
+    };
+  };
+
+  services = {
+    tailscale.enable = true;
+    openssh.enable = true;
+    # openssh.settings.X11Forwarding = true;
+  };
+
+  virtualisation.docker = {
+    enable = true;
+    package = pkgs.docker_25;
+    storageDriver = "btrfs";
+    daemon.settings = {
+      hosts = [ "unix:///var/run/docker.sock" ];
+      features.cdi = true;
+      userland-proxy = false;
+      experimental = true;
+      metrics-addr = "0.0.0.0:9323";
+    };
+
+    # daemon.settings = {
+
+    #   hosts = [
+    #     "unix:///var/run/docker.sock"
+    #   ];
+
+    #   features = {
+    #     cdi = true;
+    #   };
+
+    #   userland-proxy = false;
+    #   experimental = true;
+    #   metrics-addr = "0.0.0.0:9323";
+
+    #   default-runtime = "nvidia";
+    #   runtimes = {
+    #     nvidia = {
+    #       path = "nvidia-container-runtime";
+    #     };
+    #     nvidia-cdi = {
+    #       path = "nvidia-container-runtime.cdi";
+    #     };
+    #     nvidia-legacy = {
+    #       path = "nvidia-container-runtime.legacy";
+    #     };
+    #   };
+    # };
+  };
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+
+    settings = {
+      global = {
+        "workgroup" = "WORKGROUP";
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
+
+        # "use sendfile" = "yes";
+        # "max protocol" = "smb2";
+        # note: localhost is the ipv6 localhost ::1
+        "hosts allow" = "192.168.0. 192.168. 192.168.122.55 127.0.0.1 localhost";
+        "hosts deny" = "0.0.0.0/0";
+        "guest account" = "nobody";
+        "map to guest" = "bad user";
+        security = "user";
+        # shared = {
+        #  path = "/home/thiago/Downloads/oblivion";
+        #  browseable = true;
+        #  writable = false;
+        #  guestOk = true;
+        #  "force user" = "thiago";
+        # };
+      };
+
+      # shares = {
+      #   OneDrive = ''
+      #     path = "/run/media/thiago/hdd0/OneDrive/"
+      #     browseable = "yes"
+      #     "read only" = "no"
+      #     "guest ok" = "no"
+      #     "create mask" = "0644"
+      #     "directory mask" = "0755"
+      #     "force user" = "thiago"
+      #     "force group" = "users"
+      #   '';
+      # };
+    };
+  };
+
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+}

hosts/common/nvidia/default.nix

@@ -0,0 +1,54 @@
+{ config
+, pkgs
+, unstable
+, ...
+}:
+{
+  imports = [
+    #  ./passthrough.nix
+  ];
+
+  hardware = {
+    graphics = {
+      enable = true;
+      enable32Bit = true;
+    };
+    nvidia-container-toolkit = {
+      enable = true;
+      suppressNvidiaDriverAssertion = true;
+    };
+    nvidia = {
+      modesetting.enable = true;
+      powerManagement.enable = false;
+      powerManagement.finegrained = false;
+      open = false; # keep it like that for now, unstable!!
+      nvidiaSettings = true;
+      package = unstable.linuxPackages.nvidiaPackages.latest;
+    };
+  };
+
+  services = {
+    sunshine = {
+      enable = false;
+      # autoStart = true;
+      # openFirewall = true;
+      package = pkgs.sunshine.overrideAttrs (old: {
+        cmakeFlags = (old.cmakeFlags or [ ]) ++ [
+          "-DSUNSHINE_ENABLE_CUDA=OFF"
+          "-DCUDA_FAIL_ON_MISSING=OFF"
+        ];
+      });
+    };
+  };
+  nixpkgs.config.cudaSupport = true;
+  environment.systemPackages = with pkgs; [
+    mesa
+    glxinfo
+    libepoxy
+    libglvnd
+    nvidia-container-toolkit
+    cudaPackages.cudatoolkit
+    cudaPackages.cuda_nvcc
+  ];
+
+}

hosts/common/nvidia/passthrough.nix

@@ -0,0 +1,51 @@
+# Under maintanence
+{ pkgs
+, ...
+}:
+let
+  # Optional helper for manual (re)binding at runtime
+  vfioBindScript = pkgs.writeShellScriptBin "vfio-bind" ''
+    #!${pkgs.runtimeShell}
+    DEV="$1"                    # e.g. 0000:81:00.0
+    echo vfio-pci > /sys/bus/pci/devices/$DEV/driver_override
+    ${pkgs.kmod}/bin/modprobe -i vfio-pci
+    echo "$DEV" > /sys/bus/pci/drivers/vfio-pci/bind
+  '';
+in
+{
+  nixpkgs.config.allowUnfree = true;
+
+  boot = {
+    # Load vfio early and bind the second GPU before NVIDIA can claim it
+    initrd = {
+      kernelModules = [ "vfio_pci" ];
+      preDeviceCommands = ''
+        DEVS="0000:81:00.0 0000:81:00.1"
+        for DEV in $DEVS; do
+          echo "vfio-pci" > /sys/bus/pci/devices/$DEV/driver_override
+        done
+        modprobe -i vfio-pci
+        for DEV in $DEVS; do
+          echo $DEV > /sys/bus/pci/drivers/vfio-pci/bind
+        done
+      '';
+    };
+
+    kernelParams = [
+      "intel_iommu=on"
+      "iommu=pt"
+    ];
+
+    kernelModules = [
+      "vfio_pci"
+      "vfio"
+      "vfio_iommu_type1"
+      "vfio_virqfd"
+    ];
+    blacklistedKernelModules = [ "nouveau" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    vfioBindScript # optional manual tool
+  ];
+}

hosts/common/rclone.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    rclone
+    fuse3 # Required for mounting
+  ];
+
+  users.users.thiago = {
+    extraGroups = [ "fuse" ];
+  };
+}

hosts/common/screen.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  hardware.i2c.enable = true;
+  environment.systemPackages = with pkgs; [
+    ddcutil
+    ddcui
+  ];
+}

hosts/common/users/thiago/default.nix

@@ -0,0 +1,38 @@
+{ pkgs, config, ... }:
+let
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+in
+{
+  users.users.thiago = {
+
+    isNormalUser = true;
+    initialPassword = "changeme";
+    extraGroups =
+      [
+        "networkmanager"
+        "wheel"
+        "scard"
+      ]
+      ++ ifTheyExist [
+        "wireshark"
+        "i2c"
+        "docker"
+        "git"
+        "libvirtd"
+        "libvirt"
+        "video"
+        "kvm"
+        "scanner"
+        "photos"
+      ];
+    openssh.authorizedKeys.keyFiles = [
+      (builtins.fetchurl {
+        url = "https://github.com/sposito.keys";
+        sha256 = "0bwqj8si0q6kp9cdjgkp9kfz17f24wf476zqzvxbygn6f4av0wh2";
+      })
+    ];
+
+    packages = [ pkgs.home-manager ];
+  };
+
+}