feat: Tier 1 system features — snapper, hibernate, containers, libvirt, keyring

Five opt-in modules lifted from bernardo/nixos and adapted to Nomarchy's
nomarchy.system.* option namespace. All default off (except keyring which
defaults on); evaluation of the existing VM/ISO is unchanged when the
toggles are unset.

- core/system/snapper.nix: BTRFS timeline snapshots (5h/7d), nixos-rebuild-snap
  wrapper that pre-snaps before each switch using the running hostname.
  Auto-skips when / isn't BTRFS so impermanence/non-BTRFS hosts are safe.
- core/system/hibernate.nix: suspend-then-hibernate on lid/idle/power-key
  with configurable idleMinutes (default 30). Description warns swap is
  required.
- core/system/containers.nix: rootless Podman with dockerCompat + dns +
  podman-compose, podman-tui, dive. Better default than the docker daemon
  for a desktop distro.
- core/system/virtualization.nix: extends the existing uwsm/Hyprland file
  with a libvirt + virt-manager + OVMF branch behind
  nomarchy.system.virtualization.libvirt.enable.
- core/system/pam.nix: GNOME Keyring auto-unlock at SDDM/login/hyprlock
  plus gcr-ssh-agent so SSH keys flow through the keyring instead of a
  separate ssh-agent. Default on.
- core/system/options.nix: declares the five new options.
- core/system/default.nix: imports the four new files.
- installer/install.sh: surfaces all five toggles as commented one-liners
  in the "Optional Nomarchy modules" section of the generated system.nix.
  Verified via the existing dry-run / generator smoke test.

Verified each toggle lights up the right NixOS option (services.snapper,
logind IdleAction, virtualisation.podman/libvirtd, pam.sddm.enableGnomeKeyring)
via nix eval against extendModules. VM and live-ISO toplevels still build.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

core/system/snapper.nix

@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.nomarchy.system.snapper;
+  rootIsBtrfs = (config.fileSystems."/".fsType or "") == "btrfs";
+  active = cfg.enable && rootIsBtrfs;
+in
+{
+  config = lib.mkIf active {
+    # `nixos-rebuild-snap`: take a Snapper pre-rebuild snapshot, then run
+    # `nixos-rebuild switch` against the current host. The hostname is read
+    # from the running config so this script works on every machine without
+    # editing.
+    environment.systemPackages = [
+      (pkgs.writeShellScriptBin "nixos-rebuild-snap" ''
+        if [ "$(id -u)" -ne 0 ]; then
+          echo "This script must be run as root (use sudo)" >&2
+          exit 1
+        fi
+        echo "Creating pre-rebuild snapshot..."
+        ${pkgs.snapper}/bin/snapper -c root create \
+          -d "Pre-rebuild $(date +'%Y-%m-%d %H:%M:%S')" \
+          --cleanup-algorithm number
+        echo "Rebuilding..."
+        nixos-rebuild switch --flake .#${config.networking.hostName} "$@"
+      '')
+    ];
+
+    services.snapper.configs = {
+      root = {
+        SUBVOLUME = "/";
+        TIMELINE_CREATE = true;
+        TIMELINE_CLEANUP = true;
+        TIMELINE_LIMIT_HOURLY = "5";
+        TIMELINE_LIMIT_DAILY = "7";
+        TIMELINE_LIMIT_WEEKLY = "0";
+        TIMELINE_LIMIT_MONTHLY = "0";
+        TIMELINE_LIMIT_YEARLY = "0";
+      };
+    };
+  };
+}