feat(darwin): wire nix-homebrew and make Homebrew authoritative

Add the nix-homebrew input and darwin module so the Homebrew prefix is installed and owned declaratively (no manual bootstrap), with enableRosetta for x86_64 formulae on Apple Silicon and user = host username.

Set homebrew.onActivation.cleanup = zap so the taps/brews/casks/masApps lists are authoritative: anything not declared is removed on activation.

system/machine/Darwin/configuration.nix

@@ -10,18 +10,24 @@
   # Account that runs user-level activation and Homebrew.
   system.primaryUser = username;
 
+  # nix-homebrew owns and installs the Homebrew prefix declaratively, so brew
+  # itself no longer needs a manual bootstrap. enableRosetta permits x86_64
+  # formulae via Rosetta 2 on Apple Silicon.
+  nix-homebrew = {
+    enable = true;
+    enableRosetta = true;
+    user = username;
+  };
+
   # Declarative Homebrew for packages with no nixpkgs equivalent or that must be
-  # the vendor build (GUI casks, Mac App Store apps). Homebrew itself must already
-  # be installed:
-  #   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+  # the vendor build (GUI casks, Mac App Store apps).
   homebrew = {
     enable = true;
     onActivation = {
       autoUpdate = true;
       upgrade = true;
-      # "none" leaves manually-installed formulae alone. Switch to "zap" to make
-      # the lists below fully authoritative (uninstalls anything not declared).
-      cleanup = "none";
+      # Lists below are authoritative: anything not declared is uninstalled.
+      cleanup = "zap";
     };
     taps = [ ];
     brews = [ ];