fix(installer): start nix-daemon and trust flake repo for HM activation

HM activation inside `nixos-enter` failed with `big.lock: Permission
denied` because the chroot has no systemd and therefore no nix-daemon —
the user-level `nix run` fell back to single-user mode and couldn't
write /nix/var/nix/db. Launch nix-daemon manually for the activation
window and force NIX_REMOTE=daemon. Also mark /etc/nixos (and the
impermanence path) as a git safe.directory so HM doesn't trip over
git's dubious-ownership check on the root-owned repo. Make
nomarchy-env-update self-bootstrap via `nix run home-manager` when
home-manager isn't on PATH so the recovery hint actually works on a
freshly-installed system.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

features/scripts/utils/nomarchy-env-update

@@ -21,8 +21,17 @@ if command -v nomarchy-preflight-migration >/dev/null 2>&1; then
     nomarchy-preflight-migration
 fi
 
-# Apply Home Manager changes from the local flake (Standalone)
+# Apply Home Manager changes from the local flake (Standalone).
+# On a freshly-installed system where the installer's HM activation failed,
+# `home-manager` won't be on PATH yet — fall back to `nix run` so this
+# script can recover the install instead of erroring on a missing binary.
 echo "Applying user-level changes from $REPO_DIR#$USER..."
-home-manager switch --flake "$REPO_DIR#$USER" --impure
+if command -v home-manager >/dev/null 2>&1; then
+    home-manager switch --flake "$REPO_DIR#$USER" --impure
+else
+    nix --extra-experimental-features 'nix-command flakes' \
+        run 'home-manager/release-25.11' \
+        -- switch --flake "$REPO_DIR#$USER" --impure
+fi
 
 echo "Environment update complete."