feat: NVIDIA PRIME, audio fix, timezone, dmesg error cleanup

- Add nvidia/nvidia-dkms/nvidia-libs-32bit/nvidia-vaapi-driver to niri
  live and installed profiles; wireless-regdb and sof-firmware to all
  profiles (fixes regulatory.db and SOF firmware dmesg errors)

- iso/postsetup-nvidia.sh: new mklive -x hook that re-runs dracut inside
  the rootfs chroot after the overlay is applied; ensures the squashfs
  initramfs includes nvidia.ko and omits nouveau.ko at build time —
  no driver install needed at runtime (fixes /run tmpfs overflow that was
  killing wireplumber by corrupting D-Bus sockets)

- Both ISO inner build scripts gain -x postsetup-nvidia.sh and the nonfree
  repo flag so nvidia packages resolve correctly

- niri config: wireplumber started via supervisor loop (waits for PipeWire
  socket, auto-restarts on crash) replacing the one-shot exec — survives
  any D-Bus or pipewire disruption

- build-niri-live-iso.sh: NVIDIA modprobe blacklist-nouveau.conf,
  btusb-quirks.conf, modules-load.d/nvidia.conf, dracut/10-nvidia.conf,
  Xorg intel/nvidia configs, prime-run helper, elogind run script loop
  guard, timezone Europe/Zurich overlay, updated BOOT_CMDLINE

- build-live-iso.sh: same NVIDIA + timezone + sound udev rule overlays;
  live-setup.sh timezone and audio group fix

- installer/lib/grub.sh: GRUB_CMDLINE_LINUX_DEFAULT gains
  nvidia-drm.modeset=1 rd.driver.blacklist=nouveau btusb.enable_autosuspend=0

- installer/lib/postinstall.sh: configure_nvidia_prime() adds
  blacklist-nouveau.conf, btusb-quirks.conf, dracut omit_drivers nouveau,
  modules-load.d with all four nvidia modules

config/profiles/mainline-niri/customizations/niri.sh

@@ -48,6 +48,7 @@ prefer-no-csd
 spawn-at-startup "swaybg" "-i" "/usr/share/backgrounds/void-installer/pxfuel.jpg"
 spawn-at-startup "mako"
 spawn-at-startup "/usr/libexec/polkit-gnome-authentication-agent-1"
+spawn-at-startup "sh" "-c" "command -v gnome-keyring-daemon >/dev/null 2>&1 && gnome-keyring-daemon --start --components=secrets,pkcs11 >/dev/null 2>&1; true"
 spawn-at-startup "sh" "-c" "i=0; while [ \$i -lt 30 ] && ! dbus-send --system --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.bluez >/dev/null 2>&1; do sleep 1; i=\$((i+1)); done; exec noctalia-shell"
 
 cursor {
@@ -57,7 +58,7 @@ cursor {
 
 binds {
     Mod+T          { spawn "alacritty"; }
-    Mod+D          { spawn "fuzzel"; }
+    Mod+D          { spawn "sh" "-c" "quickshell msg -c noctalia-shell launcher toggle"; }
     Mod+Q          { close-window; }
     Mod+Shift+E    { quit; }
     Print          { screenshot; }
@@ -97,9 +98,74 @@ export MOZ_ENABLE_WAYLAND=1
 export _JAVA_AWT_WM_NONREPARENTING=1
 export XDG_CURRENT_DESKTOP=niri
 export XDG_SESSION_TYPE=wayland
+export GTK_USE_PORTAL=1
+export ELECTRON_OZONE_PLATFORM_HINT=auto
 EOF
     chmod 0644 "$TARGET/etc/profile.d/wayland.sh"
     log "wayland environment installed at /etc/profile.d/wayland.sh"
+
+    # Expose nix .desktop files and icons (installed via first-boot-nix)
+    cat > "$TARGET/etc/profile.d/nix-xdg.sh" <<'NIXEOF'
+# Add nix profile share directory so launchers and icon themes pick up nix apps.
+if [[ -d "${HOME:-}/.nix-profile/share" ]]; then
+    case ":${XDG_DATA_DIRS:-}:" in
+        *":$HOME/.nix-profile/share:"*) ;;
+        *) export XDG_DATA_DIRS="$HOME/.nix-profile/share:${XDG_DATA_DIRS:-/usr/local/share:/usr/share}" ;;
+    esac
+fi
+NIXEOF
+    chmod 0644 "$TARGET/etc/profile.d/nix-xdg.sh"
+
+    # /etc/environment: baseline XDG_DATA_DIRS loaded by pam_env for ALL session
+    # types (TTY login, greetd). The nix profile share path must be absolute here
+    # because pam_env does not expand $HOME when the key uses = (not DEFAULT=).
+    # The installed user's home is /home/$USERNAME, so we hardcode it.
+    cat > "$TARGET/etc/environment" <<ENVEOF
+XDG_DATA_DIRS=/home/${USERNAME}/.nix-profile/share:/usr/local/share:/usr/share
+QT_QPA_PLATFORM=wayland;xcb
+GDK_BACKEND=wayland,x11
+MOZ_ENABLE_WAYLAND=1
+LIBSEAT_BACKEND=logind
+GTK_USE_PORTAL=1
+ELECTRON_OZONE_PLATFORM_HINT=auto
+ENVEOF
+    log "/etc/environment written with XDG_DATA_DIRS for nix profile"
+
+    # dconf system keyfile: GTK dark theme reported to all apps via xdg-portal
+    install -d -m 0755 "$TARGET/etc/dconf/db/local.d"
+    install -d -m 0755 "$TARGET/etc/dconf/profile"
+    cat > "$TARGET/etc/dconf/db/local.d/01-dark-theme" <<'EOF'
+[org/gnome/desktop/interface]
+color-scheme='prefer-dark'
+gtk-theme='Gruvbox-Dark'
+icon-theme='Gruvbox-Plus-Dark'
+cursor-theme='Bibata-Modern-Ice'
+cursor-size=24
+EOF
+    echo 'user-db:user
+system-db:local' > "$TARGET/etc/dconf/profile/user"
+    run_chroot "dconf update 2>/dev/null || true"
+    log "dconf dark theme profile installed"
+}
+
+_niri_write_session_wrapper() {
+    local TARGET="$1"
+    # Create /usr/local/bin/niri-session: sources /etc/profile before exec'ing
+    # niri --session so that all /etc/profile.d/* scripts (nix paths,
+    # XDG_DATA_DIRS with ~/.nix-profile/share, wayland env, etc.) are in effect
+    # for the compositor and every app it spawns.
+    install -d -m 0755 "$TARGET/usr/local/bin"
+    cat > "$TARGET/usr/local/bin/niri-session" <<'EOF'
+#!/bin/bash
+# niri-session — wrapper started by greetd/tuigreet.
+# Sources /etc/profile so that all /etc/profile.d/* scripts run
+# (nix paths, wayland env, XDG_DATA_DIRS with ~/.nix-profile/share, etc.)
+# before handing off to the compositor.
+[ -f /etc/profile ] && . /etc/profile
+exec niri --session "$@"
+EOF
+    chmod 0755 "$TARGET/usr/local/bin/niri-session"
+    log "niri-session wrapper installed at /usr/local/bin/niri-session"
 }
 
 _niri_setup_greetd() {
@@ -141,7 +207,122 @@ EOF
     fi
 }
 
-_niri_write_kdl    "$TARGET"
-_niri_write_env    "$TARGET"
-_niri_setup_greetd "$TARGET"
-_niri_install_noctalia "$TARGET"
+_niri_write_portal_config() {
+    local TARGET="$1"
+    # Tell xdg-desktop-portal to route all portals through the GTK backend when
+    # running under niri.  Without this the dispatcher has no match for
+    # XDG_CURRENT_DESKTOP=niri and file-picker / open-with calls fail silently.
+    install -d -m 0755 "$TARGET/etc/xdg/xdg-desktop-portal"
+    cat > "$TARGET/etc/xdg/xdg-desktop-portal/niri-portals.conf" <<'EOF'
+[preferred]
+default=gtk
+org.freedesktop.impl.portal.FileChooser=gtk
+org.freedesktop.impl.portal.AppChooser=gtk
+org.freedesktop.impl.portal.OpenURI=gtk
+org.freedesktop.impl.portal.Print=gtk
+org.freedesktop.impl.portal.Screenshot=gtk
+org.freedesktop.impl.portal.Inhibit=gtk
+org.freedesktop.impl.portal.Notification=gtk
+org.freedesktop.impl.portal.Settings=gtk
+EOF
+    log "niri portal config installed (gtk backend for all portals)"
+}
+
+_niri_write_sound_udev_rules() {
+    local TARGET="$1"
+    # PCM/control nodes are created root:root on some kernels before the audio
+    # group is provisioned. This persistent rule ensures correct ownership.
+    install -d -m 0755 "$TARGET/etc/udev/rules.d"
+    cat > "$TARGET/etc/udev/rules.d/70-sound-perms.rules" <<'EOF'
+# Allow the audio group to access ALSA PCM and control devices.
+SUBSYSTEM=="sound", GROUP="audio", MODE="0660"
+EOF
+    log "sound udev rules installed"
+}
+
+_niri_write_noctalia_defaults() {
+    local TARGET="$1"
+    # Write a baseline noctalia settings.json into skel so every new user
+    # (including the installed user) gets the correct wallpaper directory,
+    # dark mode, and Gruvbox colour scheme out of the box.
+    local skel_noc="$TARGET/etc/skel/.config/noctalia"
+    install -d -m 0755 "$skel_noc"
+    cat > "$skel_noc/settings.json" <<NOCEOF
+{
+    "appLauncher": {
+        "iconMode": "apps",
+        "sortByMostUsed": true,
+        "showCategories": true,
+        "viewMode": "grid",
+        "pinnedApps": [],
+        "terminalCommand": "alacritty -e",
+        "density": "default",
+        "position": "center"
+    },
+    "colorSchemes": {
+        "darkMode": true,
+        "predefinedScheme": "Gruvbox",
+        "generationMethod": "tonal-spot",
+        "manualSunrise": "06:30",
+        "manualSunset": "18:30",
+        "monitorForColors": ""
+    },
+    "wallpaper": {
+        "enabled": true,
+        "directory": "/usr/share/backgrounds/void-installer",
+        "fillMode": "crop",
+        "fillColor": "#000000",
+        "automationEnabled": false,
+        "favorites": [],
+        "hideWallpaperFilenames": false,
+        "linkLightAndDarkWallpapers": true,
+        "monitorDirectories": [],
+        "enableMultiMonitorDirectories": false
+    }
+}
+NOCEOF
+    chmod 0644 "$skel_noc/settings.json"
+    # Mirror into installed user's home
+    install -d -m 0755 "$TARGET/home/$USERNAME/.config/noctalia"
+    cp "$skel_noc/settings.json" "$TARGET/home/$USERNAME/.config/noctalia/settings.json"
+    run_chroot "chown -R $USERNAME:$USERNAME /home/$USERNAME/.config/noctalia" || true
+    log "noctalia default settings installed (wallpaper dir + Gruvbox dark)"
+}
+
+_niri_set_default_browser() {
+    local TARGET="$1"
+    # System-wide MIME defaults: google-chrome (installed via nix) as the
+    # default browser for http/https/html.  Written to /etc/xdg/mimeapps.list
+    # (system default, read before ~/.config/mimeapps.list) and also into skel
+    # so the user-level entry is set from first login.
+    install -d -m 0755 "$TARGET/etc/xdg"
+    cat > "$TARGET/etc/xdg/mimeapps.list" <<'EOF'
+[Default Applications]
+text/html=google-chrome.desktop
+x-scheme-handler/http=google-chrome.desktop
+x-scheme-handler/https=google-chrome.desktop
+x-scheme-handler/about=google-chrome.desktop
+x-scheme-handler/unknown=google-chrome.desktop
+application/pdf=google-chrome.desktop
+application/xhtml+xml=google-chrome.desktop
+application/xml=google-chrome.desktop
+EOF
+    # Also set in user skel so ~/.config/mimeapps.list is populated on first login
+    install -d -m 0755 "$TARGET/etc/skel/.config"
+    cp "$TARGET/etc/xdg/mimeapps.list" "$TARGET/etc/skel/.config/mimeapps.list"
+    # Mirror into installed user home
+    install -d -m 0755 "$TARGET/home/$USERNAME/.config"
+    cp "$TARGET/etc/xdg/mimeapps.list" "$TARGET/home/$USERNAME/.config/mimeapps.list"
+    run_chroot "chown $USERNAME:$USERNAME /home/$USERNAME/.config/mimeapps.list" || true
+    log "google-chrome set as default browser (mimeapps.list)"
+}
+
+_niri_write_kdl             "$TARGET"
+_niri_write_env             "$TARGET"
+_niri_write_session_wrapper "$TARGET"
+_niri_write_portal_config   "$TARGET"
+_niri_write_sound_udev_rules "$TARGET"
+_niri_setup_greetd          "$TARGET"
+_niri_install_noctalia      "$TARGET"
+_niri_write_noctalia_defaults "$TARGET"
+_niri_set_default_browser     "$TARGET"

config/profiles/mainline-niri/packages.list

@@ -49,6 +49,7 @@ openssh
 iwd
 nftables
 chrony
+wireless-regdb
 
 # --- audio (pipewire stack) ---
 pipewire
@@ -57,6 +58,7 @@ alsa-pipewire
 pavucontrol
 alsa-utils
 playerctl
+sof-firmware
 
 # --- graphics / wayland ---
 wayland
@@ -75,7 +77,6 @@ nvidia-vaapi-driver
 
 # --- niri compositor + wayland ecosystem ---
 niri
-fuzzel
 mako
 swaybg
 swayidle
@@ -89,6 +90,12 @@ xdg-desktop-portal-wlr
 polkit-gnome
 brightnessctl
 
+# --- file manager ---
+nautilus
+
+# --- keyring (Chrome / VSCode secret storage) ---
+gnome-keyring
+
 # --- noctalia shell runtime deps (noctalia-shell itself is installed in
 #     niri.sh from the third-party XBPS repo at universalrepo.r1xelelo.workers.dev).
 ImageMagick

config/profiles/mainline-niri/packages.live-desktop.list

@@ -46,6 +46,7 @@ NetworkManager-openvpn
 openssh
 iwd
 chrony
+wireless-regdb
 
 # --- audio (pipewire stack) ---
 pipewire
@@ -54,6 +55,7 @@ alsa-pipewire
 pavucontrol
 alsa-utils
 playerctl
+sof-firmware
 
 # --- Wayland session ---
 mesa-dri
@@ -63,14 +65,17 @@ elogind
 seatd
 dbus
 
+# --- nvidia PRIME (from nonfree repo) ---
+nvidia
+nvidia-libs-32bit
+nvidia-vaapi-driver
+
 # --- display manager ---
 greetd
 tuigreet
 
 # --- terminal + launcher ---
 alacritty
-fuzzel
-foot
 
 # --- notification + background ---
 mako
@@ -95,10 +100,17 @@ zenity
 
 # --- XDG portals ---
 xdg-desktop-portal
+xdg-desktop-portal-gtk
 xdg-desktop-portal-gnome
 xdg-utils
 xdg-user-dirs
 
+# --- file manager ---
+nautilus
+
+# --- keyring (Chrome / VSCode secret storage) ---
+gnome-keyring
+
 # --- nix (for prebaked packages — spotify, discord, google-chrome, vscode, fastfetch, etc.) ---
 nix
 

config/profiles/stable-cinnamon/packages.list

@@ -50,6 +50,7 @@ iwd
 wpa_supplicant
 nftables
 chrony
+wireless-regdb
 
 # --- audio ---
 pipewire
@@ -57,6 +58,7 @@ wireplumber
 alsa-pipewire
 pavucontrol
 alsa-utils
+sof-firmware
 
 # --- graphics / xorg ---
 xorg-minimal

config/profiles/stable-cinnamon/packages.live-desktop.list

@@ -47,6 +47,7 @@ openssh
 iwd
 wpa_supplicant
 chrony
+wireless-regdb
 
 # --- audio ---
 pipewire
@@ -54,6 +55,7 @@ wireplumber
 alsa-pipewire
 pavucontrol
 alsa-utils
+sof-firmware
 
 # --- graphics / xorg ---
 xorg-minimal