chore(bootstrap): drop manual paru-bin AUR build; provision subuid/subgid

Two changes:

1. Eliminate the paru-bin chicken-and-egg. Old flow had to manually
   git-clone aur/paru-bin and run makepkg -si before just-init could
   call paru. Now paru ships from nixpkgs via nix/host.nix, so the
   bootstrap reorders to:
       pacman -S … nix
       enable nix-daemon
       git clone <dotfiles>
       just nix-switch    # installs paru + chezmoi + … into ~/.nix-profile
       PATH=$HOME/.nix-profile/bin:$PATH
       just init          # _chezmoi-init/apply/pkg-apply/unit-apply
   pkg-apply now finds paru on PATH from the nix profile, so the
   remaining AUR entries in meta/base.txt (arkenfox-user.js,
   protonmail-bridge-core, pass-secret-service-bin, zsa-udev, kernel-
   modules-hook, …) install correctly. chezmoi drops out of PREREQS —
   it comes from the nix profile too. just stays on pacman so the
   pre-nix-switch `just nix-switch` invocation works.

2. Add idempotent subuid/subgid provisioning. Required for rootless
   nix-installed podman; pacman's podman package handled this via its
   post-install hook, but nix-installed podman doesn't touch
   /etc/subuid. Range 100000-165535 is the conventional default.

1 files changed, 55 insertions, 51 deletions

diff --git a/bootstrap.sh b/bootstrap.sh
index 2f35f9d..79e6307 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -31,9 +31,14 @@ id -nG "$USER" | tr ' ' '\n' | grep -qx wheel ||
   die "user '$USER' must be in the 'wheel' group"
 
 # 2. install sudo + pacman prerequisites, enable wheel in sudoers.
-#    If sudo is absent we do this in a single su -c so the root password
-#    is entered only once. If sudo is already there, reuse it.
-PREREQS='sudo git base-devel chezmoi just efibootmgr nix'
+#    `chezmoi` and `paru` are intentionally NOT in this list — chezmoi
+#    is run ephemerally via `nix-shell` below for the one-shot deploy,
+#    and paru lands in ~/.nix-profile/bin after the first nix-switch
+#    (we install `just init`'s AUR deps using *that* nix-store paru,
+#    not a manually built paru-bin). `just` and `git` stay on pacman
+#    so the script + early `just nix-switch` work before the nix
+#    profile is activated.
+PREREQS='sudo git base-devel just efibootmgr nix'
 SUDOERS_SED='s/^# *\(%wheel ALL=(ALL:ALL\(:ALL\)*) ALL\)/\1/'
 
 if ! command -v sudo >/dev/null 2>&1; then
@@ -47,16 +52,30 @@ else
   sudo sed -i "${SUDOERS_SED}" /etc/sudoers
 fi
 
-# 3. bootstrap paru-bin from AUR if missing
-if ! command -v paru >/dev/null 2>&1; then
-  log 'building paru-bin from AUR'
-  tmp=$(mktemp -d)
-  trap 'rm -rf "$tmp"' EXIT
-  git clone --depth=1 https://aur.archlinux.org/paru-bin.git "$tmp/paru-bin"
-  (cd "$tmp/paru-bin" && makepkg -si --noconfirm)
+# 3. enable the nix daemon (multi-user mode; pacman ships the unit)
+log 'enabling nix-daemon'
+sudo systemctl enable --now nix-daemon.socket
+
+# Source the nix profile so `nix` is on PATH for the rest of this
+# script (pacman drops /etc/profile.d/nix.sh but the current shell
+# didn't read it).
+for f in /etc/profile.d/nix.sh /etc/profile.d/nix-daemon.sh; do
+  if [ -r "$f" ]; then
+    # shellcheck disable=SC1090
+    . "$f"
+    break
+  fi
+done
+
+# 4. provision subuid/subgid for rootless podman (nix-installed podman
+#    relies on the system shadow-utils ranges; idempotent — only acts
+#    when no range exists for the current user).
+if ! grep -q "^$USER:" /etc/subuid; then
+  log "provisioning /etc/subuid + /etc/subgid for rootless containers"
+  sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 "$USER"
 fi
 
-# 4. clone dotfiles
+# 5. clone dotfiles
 DOTFILES_DIR="${DOTFILES_DIR:-$HOME/dotfiles}"
 REPO_URL="${DOTFILES_REPO:-https://github.com/sommerfelddev/dotfiles.git}"
 if [ ! -d "$DOTFILES_DIR/.git" ]; then
@@ -65,62 +84,47 @@ if [ ! -d "$DOTFILES_DIR/.git" ]; then
 else
   log "using existing clone at $DOTFILES_DIR"
 fi
-
-# 5. run just init — this deploys chezmoi, installs the 'base' meta list
-#    (which pulls in sudo-rs), deploys /etc/sudoers-rs, /etc/pam.d/sudo,
-#    creates /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing
-#    at sudo-rs (PATH precedence shadows /usr/bin/sudo), and installs
-#    git hooks. The classic 'sudo' package stays installed because
-#    base-devel hard-depends on it; that's harmless — the binary is
-#    never invoked once /usr/local/bin/sudo is in place. `just init`
-#    also runs `just nix-switch` to apply the Home-Manager profile;
-#    nix itself is part of PREREQS above (pacman package), and
-#    nix-daemon.socket is enabled by `unit-apply` via
-#    systemd-units/system.txt.
 cd "$DOTFILES_DIR"
 
-# Source the nix profile so `nix` is on PATH for the rest of this
-# script (pacman drops /etc/profile.d/nix.sh but the current shell
-# didn't read it). Multi-user (daemon mode) and per-user variants exist;
-# pacman ships the multi-user one.
-for f in /etc/profile.d/nix.sh /etc/profile.d/nix-daemon.sh; do
-  if [ -r "$f" ]; then
-    # shellcheck disable=SC1090
-    . "$f"
-    break
-  fi
-done
+# 6. nix-switch FIRST. This installs paru + chezmoi (plus the wayland
+#    session tools, qrencode, torsocks, lshw, yt-dlp, streamlink,
+#    tesseract, whisper-cpp, …) into ~/.nix-profile/bin so the
+#    subsequent `just init` finds them on PATH. The repo is already a
+#    valid Nix flake — we don't need chezmoi to have run yet.
+log 'running nix-switch (installs paru + user-leaf tools from nix)'
+just nix-switch
 
+# Add nix-profile to PATH for the remaining steps so freshly installed
+# tools (paru, chezmoi) are picked up immediately. Login shells will
+# resolve it via /etc/profile.d/hm-session-vars.sh after re-login.
+export PATH="$HOME/.nix-profile/bin:$PATH"
+
+# 7. run just init — this deploys chezmoi, installs the 'base' meta list
+#    (which pulls in sudo-rs via the nix-profile paru), deploys
+#    /etc/sudoers-rs, /etc/pam.d/sudo, creates
+#    /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing at
+#    sudo-rs (PATH precedence shadows /usr/bin/sudo), and installs git
+#    hooks. The classic 'sudo' package stays installed because
+#    base-devel hard-depends on it; that's harmless — the binary is
+#    never invoked once /usr/local/bin/sudo is in place. `just init`
+#    also re-runs nix-switch as its last step (a no-op since step 6
+#    already activated the profile).
 log 'running just init'
 just init
 
-# 5b. chsh to nix-store zsh (provisioned by home-manager via nix/common.nix)
-NIX_ZSH="$HOME/.nix-profile/bin/zsh"
-if [ -x "$NIX_ZSH" ]; then
-  if ! grep -qxF "$NIX_ZSH" /etc/shells 2>/dev/null; then
-    log "appending $NIX_ZSH to /etc/shells"
-    echo "$NIX_ZSH" | sudo tee -a /etc/shells >/dev/null
-  fi
-  current_shell="$(getent passwd "$USER" | cut -d: -f7)"
-  if [ "$current_shell" != "$NIX_ZSH" ]; then
-    log "changing login shell to $NIX_ZSH"
-    sudo chsh -s "$NIX_ZSH" "$USER"
-  fi
-fi
-
-# 6. refresh pacman mirrorlist once via reflector (config deployed by chezmoi)
+# 8. refresh pacman mirrorlist once via reflector (config deployed by chezmoi)
 log 'refreshing pacman mirrorlist via reflector'
 sudo reflector @/etc/xdg/reflector/reflector.conf \
   --save /etc/pacman.d/mirrorlist ||
   warn 'reflector failed; keeping existing mirrorlist'
 
-# 7. create XDG user directories (~/Documents, ~/Downloads, etc.)
+# 9. create XDG user directories (~/Documents, ~/Downloads, etc.)
 if command -v xdg-user-dirs-update >/dev/null 2>&1; then
   log 'creating XDG user directories'
   xdg-user-dirs-update || warn 'xdg-user-dirs-update failed'
 fi
 
-# 8. optional: create an Arch EFI boot entry if none exists
+# 10. optional: create an Arch EFI boot entry if none exists
 if [ -d /sys/firmware/efi ]; then
   if ! sudo efibootmgr 2>/dev/null | grep -iq arch; then
     warn 'no Arch Linux EFI boot entry found'