feat: initial NixOS home lab infrastructure setup

- Add modular flake-based NixOS configuration
- Implement GitOps foundation with CI/CD pipeline
- Create comprehensive documentation and branching strategy
- Add modular desktop environments (GNOME, Cosmic, Sway)
- Configure virtualization stack (Incus, Libvirt, Podman)
- Set up development tools and hardware-specific modules
- Establish user configuration with literate programming support

This commit represents the completion of Phase 1: Flakes Migration
with modular configuration, virtualization, and GitOps foundation.

.github/PULL_REQUEST_TEMPLATE/home-lab-config.md

@@ -0,0 +1,118 @@
+## 🏠 Home Lab Configuration Change
+
+### 📋 Description
+<!-- Describe what this PR does and why -->
+
+### 🎯 Type of Change
+<!-- Mark all that apply -->
+- [ ] 🐛 Bug fix (non-breaking change that fixes an issue)
+- [ ] ✨ New feature (non-breaking change that adds functionality)
+- [ ] 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] 📚 Documentation update
+- [ ] 🔧 Configuration change
+- [ ] 🏗️ Infrastructure change
+- [ ] 🔒 Security update
+
+### 🖥️ Affected Machines
+<!-- Mark all machines affected by this change -->
+- [ ] `congenital-optimist` (AMD workstation)
+- [ ] `sleeper-service` (Intel file server)
+- [ ] Both machines
+- [ ] New machine configuration
+
+### 🧪 Testing Performed
+<!-- Describe how you tested these changes -->
+- [ ] `nix flake check` passes
+- [ ] `nixos-rebuild test --flake` successful
+- [ ] `nixos-rebuild build --flake` successful
+- [ ] Manual testing of affected functionality
+- [ ] Rollback tested (if applicable)
+
+### 📝 Testing Checklist
+<!-- Check all items that were verified -->
+#### System Functionality
+- [ ] System boots successfully
+- [ ] Network connectivity works
+- [ ] Services start correctly
+- [ ] No error messages in logs
+
+#### Desktop Environment (if applicable)
+- [ ] Desktop environment launches
+- [ ] Applications start correctly
+- [ ] Hardware acceleration works
+- [ ] Audio/video functional
+
+#### Virtualization (if applicable)
+- [ ] Incus containers work
+- [ ] Libvirt VMs functional
+- [ ] Podman containers operational
+- [ ] Network isolation correct
+
+#### Development Environment (if applicable)
+- [ ] Editors launch correctly
+- [ ] Language servers work
+- [ ] Build tools functional
+- [ ] Git configuration correct
+
+#### File Services (if applicable)
+- [ ] NFS mounts accessible
+- [ ] Samba shares working
+- [ ] Backup services operational
+- [ ] Storage pools healthy
+
+### 🔒 Security Considerations
+<!-- Any security implications of this change -->
+- [ ] No new attack vectors introduced
+- [ ] Secrets properly managed
+- [ ] Firewall rules reviewed
+- [ ] User permissions appropriate
+
+### 📖 Documentation
+<!-- Documentation changes -->
+- [ ] README.md updated (if needed)
+- [ ] Module documentation updated
+- [ ] plan.md updated (if needed)
+- [ ] Comments added to complex configurations
+
+### 🔄 Rollback Plan
+<!-- How to rollback if something goes wrong -->
+- [ ] Previous configuration saved
+- [ ] ZFS snapshot created
+- [ ] Rollback procedure documented
+- [ ] Emergency access method available
+
+### 📋 Deployment Notes
+<!-- Special considerations for deployment -->
+- [ ] No special deployment steps required
+- [ ] Requires manual intervention: <!-- describe -->
+- [ ] Needs coordination with other changes
+- [ ] Breaking change requires communication
+
+### 🔗 Related Issues
+<!-- Link any related issues -->
+Fixes #<!-- issue number -->
+Related to #<!-- issue number -->
+
+### 📸 Screenshots/Logs
+<!-- Add any relevant screenshots or log outputs -->
+
+### ✅ Final Checklist
+<!-- Verify before submitting -->
+- [ ] I have tested this change locally
+- [ ] I have updated documentation as needed
+- [ ] I have considered the impact on other machines
+- [ ] I have verified the rollback plan
+- [ ] I have checked for any secrets in the code
+- [ ] This change follows the repository's coding standards
+
+### 🧠 Additional Context
+<!-- Add any other context about the PR here -->
+
+---
+
+**Reviewer Guidelines:**
+1. Verify all testing checkboxes are complete
+2. Review configuration changes for security implications
+3. Ensure rollback plan is realistic
+4. Check that documentation is updated
+5. Validate CI pipeline passes

.github/workflows/ci.yml

@@ -0,0 +1,233 @@
+name: 🏠 Home Lab CI/CD Pipeline
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Weekly dependency updates check
+    - cron: '0 0 * * 0'
+
+env:
+  NIXPKGS_ALLOW_UNFREE: 1
+
+jobs:
+  # Lint and validate flake configuration
+  validate:
+    name: 🔍 Validate Configuration
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            experimental-features = nix-command flakes
+            accept-flake-config = true
+
+      - name: Setup Nix Magic Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check flake syntax
+        run: nix flake check --all-systems
+
+      - name: Format check
+        run: |
+          nix fmt
+          git diff --exit-code
+
+  # Build configurations for all machines
+  build:
+    name: 🔨 Build Configurations
+    runs-on: ubuntu-latest
+    needs: validate
+    strategy:
+      matrix:
+        machine: [congenital-optimist, sleeper-service]
+      fail-fast: false
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            experimental-features = nix-command flakes
+            accept-flake-config = true
+
+      - name: Setup Nix Magic Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Build ${{ matrix.machine }} configuration
+        run: |
+          nix build .#nixosConfigurations.${{ matrix.machine }}.config.system.build.toplevel
+          
+      - name: Check configuration size
+        run: |
+          nix path-info -S .#nixosConfigurations.${{ matrix.machine }}.config.system.build.toplevel
+          
+  # Security and dependency auditing
+  security:
+    name: 🔒 Security Audit
+    runs-on: ubuntu-latest
+    needs: validate
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            experimental-features = nix-command flakes
+            accept-flake-config = true
+
+      - name: Setup Nix Magic Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Run security audit
+        run: |
+          echo "TODO: Implement security auditing"
+          # Future: nix-audit or similar security tools
+          # Check for known vulnerabilities in dependencies
+          
+      - name: Check for secrets in repository
+        run: |
+          echo "Checking for accidentally committed secrets..."
+          if grep -r "PRIVATE KEY\|password\|secret" . --exclude-dir=.git --exclude="*.md" --exclude=".github"; then
+            echo "❌ Potential secrets found in repository"
+            exit 1
+          else
+            echo "✅ No obvious secrets found"
+          fi
+
+  # Documentation and module validation
+  documentation:
+    name: 📚 Documentation & Modules
+    runs-on: ubuntu-latest
+    needs: validate
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            experimental-features = nix-command flakes
+            accept-flake-config = true
+
+      - name: Setup Nix Magic Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Validate module structure
+        run: |
+          echo "Validating module structure..."
+          
+          # Check that all modules have proper structure
+          for module in modules/*/*.nix; do
+            echo "Checking $module"
+            nix eval --file "$module" || echo "Warning: $module may have syntax issues"
+          done
+
+      - name: Generate documentation
+        run: |
+          echo "TODO: Generate system documentation"
+          # Future: Automatically generate module documentation
+          # Update README with current system state
+
+  # Update flake.lock and test
+  update-dependencies:
+    name: 🔄 Update Dependencies
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            experimental-features = nix-command flakes
+            accept-flake-config = true
+
+      - name: Setup Nix Magic Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Update flake.lock
+        run: |
+          nix flake update
+          
+      - name: Test updated dependencies
+        run: |
+          nix flake check
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "🔄 Update flake.lock - Automated dependency update"
+          title: "Automated dependency update"
+          body: |
+            ## 🔄 Automated Dependency Update
+            
+            This PR updates the flake.lock file with the latest versions of all inputs.
+            
+            ### Changes
+            - Updated all flake inputs to latest versions
+            - Ran `nix flake check` to ensure compatibility
+            
+            ### Validation
+            - [x] Flake syntax validation passed
+            - [x] Build tests completed successfully
+            
+            Please review and test locally before merging.
+          branch: automated/update-dependencies
+          delete-branch: true
+
+  # Deployment (for self-hosted runners on actual machines)
+  deploy:
+    name: 🚀 Deploy Configuration
+    runs-on: self-hosted
+    needs: [validate, build, security]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    environment: production
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Deploy to machines
+        run: |
+          echo "TODO: Implement deployment strategy"
+          # Future: Implement actual deployment
+          # This would require self-hosted runners on each machine
+          # or remote deployment via SSH
+          
+          echo "Would deploy to:"
+          echo "- congenital-optimist"
+          echo "- sleeper-service"
+
+  # Notification on completion
+  notify:
+    name: 📢 Notify Results
+    runs-on: ubuntu-latest
+    needs: [validate, build, security, documentation]
+    if: always()
+    steps:
+      - name: Notify status
+        run: |
+          echo "Pipeline completed"
+          echo "Validate: ${{ needs.validate.result }}"
+          echo "Build: ${{ needs.build.result }}"
+          echo "Security: ${{ needs.security.result }}"
+          echo "Documentation: ${{ needs.documentation.result }}"
+          
+          # Future: Send notifications to Discord/Slack/Email
+          # if any jobs failed