updater to not require sudo prefix for flags

sw/updater.nix

@@ -43,6 +43,14 @@ with lib;
         # Service path for unprivileged (no flags)
         UNIT="update-system.service"
 
+        # Figure out the "real" invoking user, even under sudo.
+        INVOKER_USER="''${SUDO_USER:-$(id -un)}"
+        INVOKER_HOME="$(getent passwd "$INVOKER_USER" | cut -d: -f6)"
+        if [ -z "$INVOKER_HOME" ]; then
+          # fallback if getent is weird in some containers
+          INVOKER_HOME="''${HOME:-/home/$INVOKER_USER}"
+        fi
+
         # Defaults for flagged mode
         DEFAULT_REMOTE_URL="https://git.factory.uga.edu/UGA-Innovation-Factory/athenix"
         REPO_MODE="default"     # default | local | remote
@@ -91,7 +99,7 @@ with lib;
           case "$1" in
             --local-repo)
               REPO_MODE="local"
-              LOCAL_PATH="''${HOME}/athenix"
+              LOCAL_PATH="$INVOKER_HOME/athenix"
               shift
               ;;
             --local-repo=*)
@@ -134,7 +142,7 @@ with lib;
 
         # Build flake ref
         if [ "$REPO_MODE" = "local" ]; then
-          [ -n "$LOCAL_PATH" ] || LOCAL_PATH="''${HOME}/athenix"
+          [ -n "$LOCAL_PATH" ] || LOCAL_PATH="$INVOKER_HOME/athenix"
 
           # Clone default repo if missing
           if [ ! -d "$LOCAL_PATH" ]; then
@@ -177,7 +185,14 @@ with lib;
           impureFlag="--impure"
         fi
 
-        exec nixos-rebuild switch --refresh --print-build-logs $impureFlag --flake "''${flakeRef}"
+        # If not root, re-exec via sudo to do the actual switch.
+        # Preserve our computed invoker context so sudo doesn't "helpfully" change it.
+        if ! is_root; then
+          exec sudo --preserve-env=HOME,USER,LOGNAME \
+            nixos-rebuild switch --refresh --print-build-logs $impureFlag --flake "$flakeRef"
+        else
+          exec nixos-rebuild switch --refresh --print-build-logs $impureFlag --flake "$flakeRef"
+        fi
       '')
     ];