Add NixOS flake with dev shell, package, and systemd module

Includes nix develop shell (node, pg, vips), buildNpmPackage derivation,
and a NixOS module for deploying as a systemd service with hardening,
dedicated user, and configurable secrets via environmentFile.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

README.md

@@ -98,6 +98,77 @@ npm run build
 npm run preview
 ```
 
+## NixOS
+
+This project includes a Nix flake with a dev shell, package, and NixOS module.
+
+### Development shell
+
+```bash
+nix develop
+npm install
+npm run dev
+```
+
+Or with direnv (`.envrc` is included):
+
+```bash
+direnv allow
+npm install
+npm run dev
+```
+
+### Build with Nix
+
+```bash
+nix build
+```
+
+### NixOS module (deploy as a service)
+
+Add this flake to your NixOS configuration inputs, then:
+
+```nix
+# flake.nix
+{
+  inputs.buildfor-life-repair.url = "git+https://git.b4l.co.th/B4L/buildfor_life_repair.git";
+}
+```
+
+```nix
+# configuration.nix
+{ inputs, ... }:
+{
+  imports = [ inputs.buildfor-life-repair.nixosModules.default ];
+
+  services.buildfor-life-repair = {
+    enable = true;
+    port = 3000;
+    databaseUrl = "postgresql://bflr:password@localhost:5432/buildfor_life_repair";
+    baseUrl = "https://repair.example.com";
+    openFirewall = true;
+  };
+}
+```
+
+Or use an environment file for secrets:
+
+```nix
+services.buildfor-life-repair = {
+  enable = true;
+  port = 3000;
+  environmentFile = "/run/secrets/bflr-env";  # contains DATABASE_URL=...
+  baseUrl = "https://repair.example.com";
+};
+```
+
+The module creates a systemd service with:
+- Dedicated `bflr` user/group
+- Upload directory at `/var/lib/buildfor-life-repair/uploads`
+- Systemd hardening (NoNewPrivileges, ProtectSystem, PrivateTmp)
+- Auto-restart on failure
+- Optional firewall rule
+
 ## Tech stack
 
 - **Frontend:** SvelteKit 5, Svelte 5 (runes), Tailwind CSS v4