feat(darwin): wire nix-homebrew and make Homebrew authoritative

Add the nix-homebrew input and darwin module so the Homebrew prefix is installed and owned declaratively (no manual bootstrap), with enableRosetta for x86_64 formulae on Apple Silicon and user = host username.

Set homebrew.onActivation.cleanup = zap so the taps/brews/casks/masApps lists are authoritative: anything not declared is removed on activation.

flake.nix

@@ -18,6 +18,8 @@
     # nix-darwin: manage macOS hosts from this same flake.
     nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-26.05";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
+    # nix-homebrew: declaratively own and install the Homebrew prefix on macOS.
+    nix-homebrew.url = "github:zhaofengli/nix-homebrew";
     # Provides mkFlake: the systems/perSystem scaffolding used below.
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
@@ -32,6 +34,7 @@
       nixos-wsl,
       nixos-apple-silicon,
       nix-darwin,
+      nix-homebrew,
       ...
     }:
     flake-parts.lib.mkFlake { inherit inputs; } (
@@ -109,6 +112,7 @@
         # Shared scaffolding for every Darwin (macOS) host.
         darwinBaseModules = [
           commonModule
+          nix-homebrew.darwinModules.nix-homebrew
           home-manager.darwinModules.home-manager
           {
             home-manager.useGlobalPkgs = true;