fix(installer): start nix-daemon and trust flake repo for HM activation

HM activation inside `nixos-enter` failed with `big.lock: Permission
denied` because the chroot has no systemd and therefore no nix-daemon —
the user-level `nix run` fell back to single-user mode and couldn't
write /nix/var/nix/db. Launch nix-daemon manually for the activation
window and force NIX_REMOTE=daemon. Also mark /etc/nixos (and the
impermanence path) as a git safe.directory so HM doesn't trip over
git's dubious-ownership check on the root-owned repo. Make
nomarchy-env-update self-bootstrap via `nix run home-manager` when
home-manager isn't on PATH so the recovery hint actually works on a
freshly-installed system.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

features/scripts/utils/nomarchy-env-update

@@ -21,8 +21,17 @@ if command -v nomarchy-preflight-migration >/dev/null 2>&1; then
     nomarchy-preflight-migration
 fi
 
-# Apply Home Manager changes from the local flake (Standalone)
+# Apply Home Manager changes from the local flake (Standalone).
+# On a freshly-installed system where the installer's HM activation failed,
+# `home-manager` won't be on PATH yet — fall back to `nix run` so this
+# script can recover the install instead of erroring on a missing binary.
 echo "Applying user-level changes from $REPO_DIR#$USER..."
-home-manager switch --flake "$REPO_DIR#$USER" --impure
+if command -v home-manager >/dev/null 2>&1; then
+    home-manager switch --flake "$REPO_DIR#$USER" --impure
+else
+    nix --extra-experimental-features 'nix-command flakes' \
+        run 'home-manager/release-25.11' \
+        -- switch --flake "$REPO_DIR#$USER" --impure
+fi
 
 echo "Environment update complete."

installer/install.sh

@@ -1266,10 +1266,31 @@ execute_installation() {
     # `runuser -u … -- env HOME=…` switches uid only and leaves \$USER
     # as root, which is what landed the dotfiles in /root previously.
     info "Activating Home Manager for $USERNAME..."
+    # `nixos-enter` chroots without starting systemd, so nix-daemon isn't
+    # running. A user-level `nix run` would then fall back to single-user
+    # mode and try to write /nix/var/nix/db directly — which root owns in
+    # the multi-user store, so it fails with "big.lock: Permission denied".
+    # Launch the daemon manually for the duration of the activation.
     if nixos-enter --root /mnt -- bash -c "
         set -e
         install -d -o '$USERNAME' -g users -m 0755 '/home/$USERNAME'
-        runuser -l '$USERNAME' -c \"nix --extra-experimental-features 'nix-command flakes' run 'home-manager/release-25.11' -- switch --flake '/etc/nixos#$USERNAME' --impure\"
+
+        # /etc/nixos is a git repo owned by root (we init it as root above).
+        # When HM runs as the user, nix invokes git, which refuses with
+        # 'dubious ownership' unless the path is marked safe system-wide.
+        git config --system --add safe.directory /etc/nixos || true
+        git config --system --add safe.directory /persist/etc/nixos || true
+
+        /run/current-system/sw/bin/nix-daemon --daemon &
+        DAEMON_PID=\$!
+        trap 'kill \$DAEMON_PID 2>/dev/null || true' EXIT
+
+        for _ in \$(seq 1 50); do
+            [ -S /nix/var/nix/daemon-socket/socket ] && break
+            sleep 0.1
+        done
+
+        runuser -l '$USERNAME' -c \"NIX_REMOTE=daemon nix --extra-experimental-features 'nix-command flakes' run 'home-manager/release-25.11' -- switch --flake '/etc/nixos#$USERNAME' --impure\"
     "; then
         success "Home Manager activated"
     else