Fix nix single-user mode for live ISO and installer

- Store ownership: chown -R 1000:1000 at Docker build time (not runtime)
  so the live user can create lock files without flooding the tmpfs overlay
- nix.conf: add build-users-group= to force single-user mode and avoid
  daemon connection attempts (xbps nix-daemon v2.30.2 incompatible with
  pre-baked nix v2.34.6)
- profile.d: export NIX_REMOTE=local and NIXPKGS_ALLOW_UNFREE=1; wrap nix()
  to append --impure so flake installs work without extra flags
- Skel: add ~/.config/nixpkgs/config.nix with allowUnfree=true
- postinstall.sh: fix daemon socket path (/nix/var/nix/...), write
  ~/.config/nixpkgs/config.nix for installed user
- first-login.sh: add NIX_REMOTE=local alongside NIXPKGS_ALLOW_UNFREE=1
- Remove nix-daemon from live ISO services (wrong version for pre-baked client)
- Misc: bluetooth group, package list reorg, skip vscode install for niri profile

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

installer/first-login.sh

@@ -2,7 +2,7 @@
 # First-login one-shot setup for the user.
 # Installs: Claude Code, NVM + node LTS, VS Code extensions,
 #           and (if NIX_PACKAGES_FILE is present) nix user packages
-#           (google-chrome, spotify, discord, localsend, mission-center).
+#           (google-chrome, spotify, discord, localsend, mission-center, vscode).
 # Idempotent: creates ~/.first-login-done marker on success.
 
 # NOTE: do NOT use `set -u` here — nvm.sh references unbound vars.
@@ -23,16 +23,17 @@ if ! curl -fsSL --max-time 3 --connect-timeout 3 -o /dev/null https://api.github
     exit 0
 fi
 
-# --- Claude Code (official native installer) ---
 mkdir -p "$HOME/.local/bin"
 export PATH="$HOME/.local/bin:$PATH"
+
+# --- Claude Code (official native installer) ---
 if ! command -v claude >/dev/null 2>&1 && [[ ! -x "$HOME/.local/bin/claude" ]]; then
     echo "==> installing Claude Code via official installer"
     curl -fsSL https://claude.ai/install.sh | bash || {
         echo "!! claude install failed"; }
 fi
 
-# --- Nix user packages (google-chrome, spotify, discord, etc.) ---
+# --- Nix user packages (google-chrome, spotify, discord, vscode, etc.) ---
 # Present when running from the live ISO (written by build-live-iso.sh).
 # In the installed system the packages come from first-boot-nix.sh instead.
 # NOTE: nix packages are intentionally skipped in the live session — they
@@ -72,6 +73,7 @@ if [[ -r "$NIX_PACKAGES_FILE" ]] && command -v nix >/dev/null 2>&1; then
         fi
 
         export NIXPKGS_ALLOW_UNFREE=1
+        export NIX_REMOTE=local
 
         mapfile -t pkgs < <(grep -vE '^\s*(#|$)' "$NIX_PACKAGES_FILE")
         if [[ ${#pkgs[@]} -gt 0 ]]; then

installer/install.sh

@@ -98,7 +98,7 @@ main() {
     configure_nvidia_prime
     configure_zram
     configure_nix
-    install_vscode_real
+    [[ "${DESKTOP:-cinnamon}" != "niri" ]] && install_vscode_real
     install_customizations
     enable_services
     install_grub

installer/lib/postinstall.sh

@@ -206,13 +206,12 @@ mark=/var/lib/first-boot-nix.done
 [[ -f "\$mark" ]] && exit 0
 
 # Wait for nix-daemon to be available.
-# The Void xbps nix package puts the socket at /var/nix/daemon-socket/socket.
 for _ in \$(seq 1 60); do
-    [[ -S /var/nix/daemon-socket/socket ]] && break
+    [[ -S /nix/var/nix/daemon-socket/socket ]] && break
     sleep 2
 done
 
-if [[ ! -S /var/nix/daemon-socket/socket ]]; then
+if [[ ! -S /nix/var/nix/daemon-socket/socket ]]; then
     echo "nix-daemon not available; aborting first-boot nix install" >&2
     exit 0
 fi
@@ -230,6 +229,12 @@ touch "\$mark"
 EOF
     chmod 0755 "$TARGET/usr/local/libexec/first-boot-nix.sh"
 
+    # Persistent nixpkgs config so the installed user can install unfree packages
+    # without needing to export NIXPKGS_ALLOW_UNFREE=1 every time.
+    install -d -m 0755 "$TARGET/home/$USERNAME/.config/nixpkgs"
+    echo '{ allowUnfree = true; }' > "$TARGET/home/$USERNAME/.config/nixpkgs/config.nix"
+    run_chroot "chown -R $USERNAME:$USERNAME /home/$USERNAME/.config/nixpkgs"
+
     # runit one-shot service.
     install -d -m 0755 "$TARGET/etc/sv/first-boot-nix"
     cat > "$TARGET/etc/sv/first-boot-nix/run" <<'EOF'
@@ -312,10 +317,8 @@ enable_services() {
     local enabled=(
         dbus
         NetworkManager
-        lightdm
         polkitd
         docker
-        bluetoothd
         acpid
         tlp
         elogind
@@ -326,6 +329,14 @@ enable_services() {
         cupsd
         cups-browsed
     )
+
+    # Display manager: greetd for wayland/niri, lightdm for cinnamon.
+    if [[ "${DESKTOP:-cinnamon}" == "niri" ]]; then
+        enabled+=(greetd bluetoothd)
+    else
+        enabled+=(lightdm bluetoothd)
+    fi
+
     [[ "${SSHD_ENABLE:-no}" == "yes" ]] && enabled+=(sshd)
 
     for svc in "${enabled[@]}"; do