incus-vm: fix NIX_PATH and allowUnfree for NixOS workspaces

Two issues made nix-build fail out of the box for workspace users:

1. <nixpkgs> not found: NIX_PATH was empty. Fix by setting
   nix.nixPath in the coder.nix module to point at root's channel
   (/nix/var/nix/profiles/per-user/root/channels/nixos), which is
   always present after provisioning.

2. Unfree packages blocked: coder's nix derivation has an
   unfreeRedistributable license. Fix by:
   - Setting nixpkgs.config.allowUnfree = true in coder.nix
     (system-wide default)
   - Writing ~/.config/nixpkgs/config.nix with allowUnfree=true
     for the workspace user

Also tightened the channel check from the directory itself to the
nixos subdirectory inside it.

registry/bpmct/templates/incus-vm/nixos.tf

@@ -95,6 +95,11 @@ resource "null_resource" "provision_nixos" {
   nix.settings.trusted-users = [ "root" "$WUSER" ];
   nix.settings.allowed-users = [ "*" ];
 
+  # Make <nixpkgs> resolve for all users via NIX_PATH, and allow unfree
+  # packages by default so nix-build works without extra env vars.
+  nix.nixPath = [ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" ];
+  nixpkgs.config.allowUnfree = true;
+
   # Attic binary cache on ThinkStation — shared across all NixOS VMs.
   # Builds are fetched from here on cache hit; new builds are pushed via
   # the post-build hook below.
@@ -136,17 +141,28 @@ NIXMOD_EOF
         "grep -q coder.nix /etc/nixos/configuration.nix || \
          sed -i 's|imports = \[|imports = [\n    ./coder.nix|' /etc/nixos/configuration.nix"
 
-      # Restore the nixos channel if missing
+      # Restore the nixos channel for root if missing — this is what NIX_PATH
+      # points at so <nixpkgs> resolves for all users.
       incus exec "$REMOTE:$INSTANCE" -- \
         env PATH=/run/current-system/sw/bin /run/current-system/sw/bin/bash -c \
         "NIX_CHANNEL_URL=https://channels.nixos.org/nixos-25.11; \
          CHANNEL_LINK=/nix/var/nix/profiles/per-user/root/channels; \
-         if [ ! -e \"\$CHANNEL_LINK\" ]; then \
+         if [ ! -e \"\$CHANNEL_LINK/nixos\" ]; then \
            echo 'Restoring nixos channel...'; \
            nix-channel --add \"\$NIX_CHANNEL_URL\" nixos; \
            nix-channel --update nixos; \
          fi"
 
+      # Set up user-level nixpkgs config (allowUnfree) so nix-build works
+      # without NIXPKGS_ALLOW_UNFREE=1 for the workspace user.
+      incus exec "$REMOTE:$INSTANCE" -- \
+        env PATH=/run/current-system/sw/bin /run/current-system/sw/bin/bash -c \
+        "mkdir -p /home/$WUSER/.config/nixpkgs && \
+         if [ ! -f /home/$WUSER/.config/nixpkgs/config.nix ]; then \
+           printf '{ allowUnfree = true; }\n' > /home/$WUSER/.config/nixpkgs/config.nix; \
+           chown -R 1000:1000 /home/$WUSER/.config; \
+         fi"
+
       echo "Running nixos-rebuild switch (this may take a few minutes)..."
       incus exec "$REMOTE:$INSTANCE" -- \
         env PATH=/run/current-system/sw/bin /run/current-system/sw/bin/bash -l -c \