feat: bake everything into live ISO — no first-login script

Instead of downloading at first login, everything is ready at boot:

- iso/build-live-iso.sh:
  * apply-live-settings.sh XDG autostart applies theme/wallpaper/terminal
    via gsettings at first Cinnamon login (reliable vs dconf binary format)
  * /etc/environment: XDG_DATA_DIRS includes nix profile so Cinnamon menu
    shows pre-baked nix apps immediately
  * /etc/profile.d/nix-prebaked.sh: PATH setup for terminal sessions
  * first-login.sh kept at /usr/local/libexec but NOT autostarted (manual
    use for Claude/NVM installs)
  * NIX_PACKAGES_PREBAKE passed to Docker build

- iso/_inner-build-live.sh:
  * Pre-bake nix packages inside Docker before mklive.sh; copy /nix store
    into squashfs overlay; set /etc/skel/.nix-profile → store profile path
  * Cached at /cache/nix-prebake (keyed by package list md5)

- iso/Dockerfile: add rsync (needed by nix prebake)

- packages.live-desktop.list: add vscode + chromium (XBPS, no download)

iso/_inner-build-live.sh

@@ -38,6 +38,66 @@ fi
 
 cd "$MKLIVE_DIR"
 
+# ── Pre-bake nix packages ────────────────────────────────────────────────
+# Install the nix user packages inside the Docker container and bake the
+# resulting /nix store directly into the squashfs overlay.  The live session
+# then boots with all apps already present — no network downloads needed.
+#
+# The store is cached at /cache/nix-prebake; only rebuilt when the package
+# list changes (checked via an md5 key file).
+if [[ -n "${NIX_PACKAGES_PREBAKE:-}" ]]; then
+    echo ">>> pre-baking nix packages"
+    read -r -a _NIX_PKGS <<< "$NIX_PACKAGES_PREBAKE"
+
+    _NIX_CACHE="$CACHE_DIR/nix-prebake"
+    _CACHE_KEY="$_NIX_CACHE/.done.$(printf '%s\n' "${_NIX_PKGS[@]}" | sort | md5sum | cut -c1-8)"
+
+    mkdir -p "$_NIX_CACHE"
+
+    if [[ -f "$_CACHE_KEY" ]] && [[ -d "$_NIX_CACHE/store" ]] && [[ -f "$_NIX_CACHE/.profile-path" ]]; then
+        echo "    restoring cached nix store ($(du -sh "$_NIX_CACHE/store" 2>/dev/null | cut -f1))"
+        mkdir -p /nix
+        rsync -a "$_NIX_CACHE/" /nix/ 2>&1 | tail -1
+    else
+        echo "    installing nix (single-user, no-daemon)..."
+        rm -rf /nix ~/.nix-profile ~/.nix-defexpr ~/.nix-channels
+        curl -fsSL https://nixos.org/nix/install | sh -s -- --no-daemon --no-channel-add
+        # shellcheck disable=SC1091
+        . /root/.nix-profile/etc/profile.d/nix.sh
+
+        export NIXPKGS_ALLOW_UNFREE=1
+        echo "    nix profile install: ${_NIX_PKGS[*]}"
+        nix profile install --impure "${_NIX_PKGS[@]}" 2>&1
+
+        # Save the profile store path so we can restore from cache next time
+        readlink -f /root/.nix-profile > "$_NIX_CACHE/.profile-path"
+
+        # Cache the full /nix store
+        rsync -a /nix/ "$_NIX_CACHE/" 2>&1 | tail -1
+        touch "$_CACHE_KEY"
+        echo "    cached nix store: $(du -sh "$_NIX_CACHE/store" 2>/dev/null | cut -f1)"
+    fi
+
+    # Stage the nix store into the squashfs overlay
+    echo "    staging /nix into overlay ($(du -sh /nix/store 2>/dev/null | cut -f1))"
+    mkdir -p "$INCLUDE_DIR/nix"
+    rsync -a /nix/ "$INCLUDE_DIR/nix/" 2>&1 | tail -1
+
+    # /etc/skel/.nix-profile → the pre-baked store profile path.
+    # dracut's adduser.sh runs 'useradd -m' which copies skel → /home/live,
+    # so the live user gets a ready nix profile from the squashfs store.
+    _STORE_PROFILE=$(cat "$_NIX_CACHE/.profile-path" 2>/dev/null \
+        || readlink -f /root/.nix-profile 2>/dev/null || echo "")
+    if [[ -n "$_STORE_PROFILE" && -d "$_STORE_PROFILE" ]]; then
+        mkdir -p "$INCLUDE_DIR/etc/skel"
+        ln -sf "$_STORE_PROFILE" "$INCLUDE_DIR/etc/skel/.nix-profile"
+        echo "    skel/.nix-profile → $_STORE_PROFILE"
+    else
+        echo "    WARNING: could not determine nix store profile path"
+    fi
+fi
+# ── end nix prebake ──────────────────────────────────────────────────────
+
 _cleanup_mklive_builds() {
     local d sub
     for d in "$MKLIVE_DIR"/mklive-build.*/; do