feat: NVIDIA PRIME, audio fix, timezone, dmesg error cleanup

- Add nvidia/nvidia-dkms/nvidia-libs-32bit/nvidia-vaapi-driver to niri
  live and installed profiles; wireless-regdb and sof-firmware to all
  profiles (fixes regulatory.db and SOF firmware dmesg errors)

- iso/postsetup-nvidia.sh: new mklive -x hook that re-runs dracut inside
  the rootfs chroot after the overlay is applied; ensures the squashfs
  initramfs includes nvidia.ko and omits nouveau.ko at build time —
  no driver install needed at runtime (fixes /run tmpfs overflow that was
  killing wireplumber by corrupting D-Bus sockets)

- Both ISO inner build scripts gain -x postsetup-nvidia.sh and the nonfree
  repo flag so nvidia packages resolve correctly

- niri config: wireplumber started via supervisor loop (waits for PipeWire
  socket, auto-restarts on crash) replacing the one-shot exec — survives
  any D-Bus or pipewire disruption

- build-niri-live-iso.sh: NVIDIA modprobe blacklist-nouveau.conf,
  btusb-quirks.conf, modules-load.d/nvidia.conf, dracut/10-nvidia.conf,
  Xorg intel/nvidia configs, prime-run helper, elogind run script loop
  guard, timezone Europe/Zurich overlay, updated BOOT_CMDLINE

- build-live-iso.sh: same NVIDIA + timezone + sound udev rule overlays;
  live-setup.sh timezone and audio group fix

- installer/lib/grub.sh: GRUB_CMDLINE_LINUX_DEFAULT gains
  nvidia-drm.modeset=1 rd.driver.blacklist=nouveau btusb.enable_autosuspend=0

- installer/lib/postinstall.sh: configure_nvidia_prime() adds
  blacklist-nouveau.conf, btusb-quirks.conf, dracut omit_drivers nouveau,
  modules-load.d with all four nvidia modules

iso/build-live-iso.sh

@@ -135,6 +135,17 @@ if [ -f /etc/nsswitch.conf ]; then
     echo "live-setup: removed mdns from nsswitch.conf (hosts line)"
 fi
 
+# ── Timezone ──────────────────────────────────────────────────────────────
+ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime 2>/dev/null || true
+echo "live-setup: timezone set to Europe/Zurich"
+
+# ── Fix sound device permissions ───────────────────────────────────────────
+# PCM/control nodes may be root:root at early boot before the audio group
+# exists.  Re-apply correct ownership so PipeWire/ALSA can open the devices.
+chown root:audio /dev/snd/pcmC* /dev/snd/controlC* /dev/snd/hwC* 2>/dev/null || true
+chmod 660 /dev/snd/pcmC* /dev/snd/controlC* /dev/snd/hwC* 2>/dev/null || true
+udevadm trigger --subsystem-match=sound 2>/dev/null || true
+
 # ── DNS: ensure a working nameserver is configured ───────────────────────
 # NetworkManager will overwrite resolv.conf once DHCP completes.
 # If the DHCP-provided nameserver is broken (e.g. QEMU's 10.0.2.3), add
@@ -264,6 +275,16 @@ chmod 0755 "$INCLUDE_DIR/etc/runit/2"
 
 install -d -m 0755 "$INCLUDE_DIR/etc/runit/runsvdir/default"
 
+# Write all repos to xbps.d so they persist in the live squashfs.
+# The nonfree repo is needed for nvidia and other proprietary drivers.
+install -d -m 0755 "$INCLUDE_DIR/etc/xbps.d"
+cat > "$INCLUDE_DIR/etc/xbps.d/00-void-repos.conf" <<EOF
+repository=${REPO_URL:-https://repo-default.voidlinux.org/current}
+repository=${REPO_URL%/current}/current/nonfree
+repository=${REPO_URL%/current}/current/multilib
+repository=${REPO_URL%/current}/current/multilib/nonfree
+EOF
+
 # ── 3b) LightDM autologin ───────────────────────────────────────────────
 install -d -m 0755 "$INCLUDE_DIR/etc/lightdm"
 # .session file: read by the vmklive dracut hook (display-manager-autologin.sh)
@@ -561,6 +582,55 @@ cat > "$INCLUDE_DIR/etc/environment" <<'ENVEOF'
 XDG_DATA_DIRS=/home/live/.nix-profile/share:/usr/local/share:/usr/share
 ENVEOF
 
+# ── Timezone ──────────────────────────────────────────────────────────────
+ln -sf /usr/share/zoneinfo/Europe/Zurich "$INCLUDE_DIR/etc/localtime"
+cat > "$INCLUDE_DIR/etc/rc.conf" <<'RCEOF'
+KEYMAP="ch"
+HARDWARECLOCK="UTC"
+TIMEZONE="Europe/Zurich"
+RCEOF
+
+# ── Sound device udev rules ──────────────────────────────────────────────
+# PCM/control nodes are created root:root at early boot before the audio group
+# is provisioned; this rule ensures correct ownership on every boot.
+install -d -m 0755 "$INCLUDE_DIR/etc/udev/rules.d"
+cat > "$INCLUDE_DIR/etc/udev/rules.d/70-sound-perms.rules" <<'EOF'
+SUBSYSTEM=="sound", GROUP="audio", MODE="0660"
+EOF
+
+# ── NVIDIA PRIME overlay ────────────────────────────────────────────────
+# Blacklist nouveau — the live-setup.sh PRIME detection block already writes
+# Xorg config, but the kernel must also not load nouveau.
+install -d -m 0755 "$INCLUDE_DIR/etc/modprobe.d"
+cat > "$INCLUDE_DIR/etc/modprobe.d/blacklist-nouveau.conf" <<'EOF'
+blacklist nouveau
+options nouveau modeset=0
+EOF
+cat > "$INCLUDE_DIR/etc/modprobe.d/btusb-quirks.conf" <<'EOF'
+options btusb enable_autosuspend=0
+EOF
+install -d -m 0755 "$INCLUDE_DIR/etc/modules-load.d"
+cat > "$INCLUDE_DIR/etc/modules-load.d/nvidia.conf" <<'EOF'
+nvidia
+nvidia_modeset
+nvidia_uvm
+nvidia_drm
+EOF
+install -d -m 0755 "$INCLUDE_DIR/etc/dracut.conf.d"
+cat > "$INCLUDE_DIR/etc/dracut.conf.d/10-nvidia.conf" <<'EOF'
+add_drivers+=" nvidia nvidia_modeset nvidia_uvm nvidia_drm "
+omit_drivers+=" nouveau "
+EOF
+install -d -m 0755 "$INCLUDE_DIR/usr/local/bin"
+cat > "$INCLUDE_DIR/usr/local/bin/prime-run" <<'EOF'
+#!/bin/sh
+exec env __NV_PRIME_RENDER_OFFLOAD=1 \
+         __VK_LAYER_NV_optimus=NVIDIA_only \
+         __GLX_VENDOR_LIBRARY_NAME=nvidia \
+         "$@"
+EOF
+chmod 0755 "$INCLUDE_DIR/usr/local/bin/prime-run"
+
 # /etc/profile.d: PATH for interactive terminals (alacritty, etc.)
 install -d -m 0755 "$INCLUDE_DIR/etc/profile.d"
 cat > "$INCLUDE_DIR/etc/profile.d/nix-prebaked.sh" <<'NIXEOF'
@@ -696,7 +766,7 @@ TS="$(date -u +%Y%m%d)"
 OUT_ISO="${OUTPUT_ISO:-$OUT_DIR/void-live-stable-${TS}.iso}"
 # live.user=live → vmklive dracut hook creates user 'live' (default would be 'anon')
 # console=ttyS0 → serial output for QEMU/real hardware debugging
-BOOT_CMDLINE="${BOOT_CMDLINE:-live.user=${LIVE_USER} console=tty0 console=ttyS0,115200}"
+BOOT_CMDLINE="${BOOT_CMDLINE:-live.user=${LIVE_USER} console=tty0 console=ttyS0,115200 nvidia-drm.modeset=1 rd.driver.blacklist=nouveau modprobe.blacklist=nouveau btusb.enable_autosuspend=0}"
 
 echo ">>> running mklive.sh inside docker — output: $OUT_ISO"
 "$DOCKER" run --rm --privileged \