Fix nix single-user mode for live ISO and installer

- Store ownership: chown -R 1000:1000 at Docker build time (not runtime)
  so the live user can create lock files without flooding the tmpfs overlay
- nix.conf: add build-users-group= to force single-user mode and avoid
  daemon connection attempts (xbps nix-daemon v2.30.2 incompatible with
  pre-baked nix v2.34.6)
- profile.d: export NIX_REMOTE=local and NIXPKGS_ALLOW_UNFREE=1; wrap nix()
  to append --impure so flake installs work without extra flags
- Skel: add ~/.config/nixpkgs/config.nix with allowUnfree=true
- postinstall.sh: fix daemon socket path (/nix/var/nix/...), write
  ~/.config/nixpkgs/config.nix for installed user
- first-login.sh: add NIX_REMOTE=local alongside NIXPKGS_ALLOW_UNFREE=1
- Remove nix-daemon from live ISO services (wrong version for pre-baked client)
- Misc: bluetooth group, package list reorg, skip vscode install for niri profile

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

installer/lib/postinstall.sh

@@ -206,13 +206,12 @@ mark=/var/lib/first-boot-nix.done
 [[ -f "\$mark" ]] && exit 0
 
 # Wait for nix-daemon to be available.
-# The Void xbps nix package puts the socket at /var/nix/daemon-socket/socket.
 for _ in \$(seq 1 60); do
-    [[ -S /var/nix/daemon-socket/socket ]] && break
+    [[ -S /nix/var/nix/daemon-socket/socket ]] && break
     sleep 2
 done
 
-if [[ ! -S /var/nix/daemon-socket/socket ]]; then
+if [[ ! -S /nix/var/nix/daemon-socket/socket ]]; then
     echo "nix-daemon not available; aborting first-boot nix install" >&2
     exit 0
 fi
@@ -230,6 +229,12 @@ touch "\$mark"
 EOF
     chmod 0755 "$TARGET/usr/local/libexec/first-boot-nix.sh"
 
+    # Persistent nixpkgs config so the installed user can install unfree packages
+    # without needing to export NIXPKGS_ALLOW_UNFREE=1 every time.
+    install -d -m 0755 "$TARGET/home/$USERNAME/.config/nixpkgs"
+    echo '{ allowUnfree = true; }' > "$TARGET/home/$USERNAME/.config/nixpkgs/config.nix"
+    run_chroot "chown -R $USERNAME:$USERNAME /home/$USERNAME/.config/nixpkgs"
+
     # runit one-shot service.
     install -d -m 0755 "$TARGET/etc/sv/first-boot-nix"
     cat > "$TARGET/etc/sv/first-boot-nix/run" <<'EOF'
@@ -312,10 +317,8 @@ enable_services() {
     local enabled=(
         dbus
         NetworkManager
-        lightdm
         polkitd
         docker
-        bluetoothd
         acpid
         tlp
         elogind
@@ -326,6 +329,14 @@ enable_services() {
         cupsd
         cups-browsed
     )
+
+    # Display manager: greetd for wayland/niri, lightdm for cinnamon.
+    if [[ "${DESKTOP:-cinnamon}" == "niri" ]]; then
+        enabled+=(greetd bluetoothd)
+    else
+        enabled+=(lightdm bluetoothd)
+    fi
+
     [[ "${SSHD_ENABLE:-no}" == "yes" ]] && enabled+=(sshd)
 
     for svc in "${enabled[@]}"; do