diff --git a/features/scripts/utils/nomarchy-env-update b/features/scripts/utils/nomarchy-env-update
index d232ea8..9e3e207 100644
--- a/features/scripts/utils/nomarchy-env-update
+++ b/features/scripts/utils/nomarchy-env-update
@@ -21,8 +21,17 @@ if command -v nomarchy-preflight-migration >/dev/null 2>&1; then
     nomarchy-preflight-migration
 fi
 
-# Apply Home Manager changes from the local flake (Standalone)
+# Apply Home Manager changes from the local flake (Standalone).
+# On a freshly-installed system where the installer's HM activation failed,
+# `home-manager` won't be on PATH yet — fall back to `nix run` so this
+# script can recover the install instead of erroring on a missing binary.
 echo "Applying user-level changes from $REPO_DIR#$USER..."
-home-manager switch --flake "$REPO_DIR#$USER" --impure
+if command -v home-manager >/dev/null 2>&1; then
+    home-manager switch --flake "$REPO_DIR#$USER" --impure
+else
+    nix --extra-experimental-features 'nix-command flakes' \
+        run 'home-manager/release-25.11' \
+        -- switch --flake "$REPO_DIR#$USER" --impure
+fi
 
 echo "Environment update complete."
diff --git a/installer/install.sh b/installer/install.sh
index 87f6c61..e4dde6d 100755
--- a/installer/install.sh
+++ b/installer/install.sh
@@ -1266,10 +1266,31 @@ execute_installation() {
     # `runuser -u … -- env HOME=…` switches uid only and leaves \$USER
     # as root, which is what landed the dotfiles in /root previously.
     info "Activating Home Manager for $USERNAME..."
+    # `nixos-enter` chroots without starting systemd, so nix-daemon isn't
+    # running. A user-level `nix run` would then fall back to single-user
+    # mode and try to write /nix/var/nix/db directly — which root owns in
+    # the multi-user store, so it fails with "big.lock: Permission denied".
+    # Launch the daemon manually for the duration of the activation.
     if nixos-enter --root /mnt -- bash -c "
         set -e
         install -d -o '$USERNAME' -g users -m 0755 '/home/$USERNAME'
-        runuser -l '$USERNAME' -c \"nix --extra-experimental-features 'nix-command flakes' run 'home-manager/release-25.11' -- switch --flake '/etc/nixos#$USERNAME' --impure\"
+
+        # /etc/nixos is a git repo owned by root (we init it as root above).
+        # When HM runs as the user, nix invokes git, which refuses with
+        # 'dubious ownership' unless the path is marked safe system-wide.
+        git config --system --add safe.directory /etc/nixos || true
+        git config --system --add safe.directory /persist/etc/nixos || true
+
+        /run/current-system/sw/bin/nix-daemon --daemon &
+        DAEMON_PID=\$!
+        trap 'kill \$DAEMON_PID 2>/dev/null || true' EXIT
+
+        for _ in \$(seq 1 50); do
+            [ -S /nix/var/nix/daemon-socket/socket ] && break
+            sleep 0.1
+        done
+
+        runuser -l '$USERNAME' -c \"NIX_REMOTE=daemon nix --extra-experimental-features 'nix-command flakes' run 'home-manager/release-25.11' -- switch --flake '/etc/nixos#$USERNAME' --impure\"
     "; then
         success "Home Manager activated"
     else