refactor: reorganize flake structure and consolidate user config

Directory structure:
- Move from src/ to root level (system/, user/)
- Remove unused machines (workstation, vm, laptop)

User configuration:
- Add user/home.nix for shared defaults (pass, essentials, default modules)
- Centralize user options in user/default.nix
- Move submodules to consistent paths (bash/bash, git/git, neovim/nvim, vim/vim)

Module reorganization:
- Flatten nested module structures (remove /modules/ subdirs)
- Split CLI vs GUI tools (dev/ for CLI, gui/dev/ for GUI)
- Move neovim/vim to top-level modules (not under utils/)
- Remove security.enable - pass now in user/home.nix
- Remove utils.enable - essentials now in user/home.nix
- Add security/yubikey module with yubikey-manager, age-plugin-yubikey
- Move pcb, design to gui/dev/
- Replace penpot docker wrapper with nixpkgs penpot-desktop
- Remove i3 config
- Remove deprecated wsl.nativeSystemd option

GUI improvements:
- Browser-focused mimeApps in gui/default.nix
- Each WM handles its own auto-start via profileExtra

Cleanup:
- Update README with new structure
- Update justfile paths and valid systems
- Fix submodule paths in .gitmodules

system/machines/server/modules/backup/default.nix

@@ -0,0 +1,103 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.backup;
+
+  recipientArgs = concatMapStrings (r: "-r '${lib.strings.trim r}' ") cfg.recipients;
+
+  # Convert absolute paths to relative for tar, preserving structure
+  # e.g., /var/lib/forgejo -> var/lib/forgejo
+  tarPaths = map (p: removePrefix "/" p) cfg.paths;
+  excludeArgs = concatMapStrings (e: "--exclude='${e}' ") cfg.exclude;
+
+  backupScript = pkgs.writeShellScript "backup" ''
+    set -euo pipefail
+
+    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+    BACKUP_NAME="backup-$TIMESTAMP.tar.age"
+    TEMP_DIR=$(mktemp -d)
+    trap "rm -rf $TEMP_DIR" EXIT
+
+    echo "Starting backup: $BACKUP_NAME"
+    echo "Paths: ${concatStringsSep " " cfg.paths}"
+
+    export PATH="${pkgs.age-plugin-yubikey}/bin:$PATH"
+    ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-cf - ${concatStringsSep " " tarPaths} | \
+      ${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME"
+
+    ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf copy "$TEMP_DIR/$BACKUP_NAME" "${cfg.destination}"
+
+    # Prune old backups
+    ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf lsf "${cfg.destination}" | \
+      sort -r | \
+      tail -n +$((${toString cfg.keepLast} + 1)) | \
+      while read -r old; do
+        ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf delete "${cfg.destination}/$old"
+      done
+
+    echo "Backup complete"
+  '';
+
+in
+{
+  options.modules.system.backup = {
+    enable = mkEnableOption "Encrypted backups";
+
+    paths = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Absolute paths to include in backup (structure preserved)";
+    };
+
+    exclude = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Patterns to exclude (passed to tar --exclude)";
+    };
+
+    recipients = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Age public keys for encryption";
+    };
+
+    destination = mkOption {
+      type = types.str;
+      default = "";
+      description = "Rclone destination";
+    };
+
+    schedule = mkOption {
+      type = types.str;
+      default = "daily";
+      description = "Systemd calendar expression";
+    };
+
+    keepLast = mkOption {
+      type = types.int;
+      default = 3;
+      description = "Number of backups to keep";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.rclone ];
+
+    systemd.services.backup = {
+      description = "Encrypted backup";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = backupScript;
+      };
+    };
+
+    systemd.timers.backup = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.schedule;
+        Persistent = true;
+      };
+    };
+  };
+}