refactor: reorganize flake structure and consolidate user config

Directory structure:
- Move from src/ to root level (system/, user/)
- Remove unused machines (workstation, vm, laptop)

User configuration:
- Add user/home.nix for shared defaults (pass, essentials, default modules)
- Centralize user options in user/default.nix
- Move submodules to consistent paths (bash/bash, git/git, neovim/nvim, vim/vim)

Module reorganization:
- Flatten nested module structures (remove /modules/ subdirs)
- Split CLI vs GUI tools (dev/ for CLI, gui/dev/ for GUI)
- Move neovim/vim to top-level modules (not under utils/)
- Remove security.enable - pass now in user/home.nix
- Remove utils.enable - essentials now in user/home.nix
- Add security/yubikey module with yubikey-manager, age-plugin-yubikey
- Move pcb, design to gui/dev/
- Replace penpot docker wrapper with nixpkgs penpot-desktop
- Remove i3 config
- Remove deprecated wsl.nativeSystemd option

GUI improvements:
- Browser-focused mimeApps in gui/default.nix
- Each WM handles its own auto-start via profileExtra

Cleanup:
- Update README with new structure
- Update justfile paths and valid systems
- Fix submodule paths in .gitmodules

system/machines/server/modules/tor/default.nix

@@ -0,0 +1,30 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.tor;
+
+in
+{
+  options.modules.system.tor = {
+    enable = mkEnableOption "Tor";
+  };
+
+  config = mkIf cfg.enable {
+    services.tor = {
+      enable = true;
+
+      client = {
+        enable = true;
+        # SOCKS proxy on 127.0.0.1:9050
+      };
+
+      settings = {
+        ControlPort = 9051;
+        CookieAuthentication = true;
+        CookieAuthFileGroupReadable = true;
+        DataDirectoryGroupReadable = true;
+      };
+    };
+  };
+}