- Rename Makefile target live-iso -> live-ephemeral-iso (and /<arch>).
- Add hosts/persistent-disk: a disko-image-builder host that produces a
  persistent disk image sharing disko-standard.nix's GPT layout (state
  survives reboots, unlike the ephemeral live ISO).
- Add Makefile targets persistent-disk/qcow2 and persistent-disk/raw, each
  with optional /<arch> suffix. raw is dd-able to a drive; qcow2 boots in
  QEMU/libvirt.
- Extract the shared turn-key bits (all-hardware, baked /etc/nixos-repo,
  autologin, Coder admin bootstrap) into nixos/box-turnkey.nix, imported by
  both nixos/live-iso.nix and hosts/persistent-disk. Makefile uses one
  extendModules helper for all targets (per-arch + imageFormat overrides).
- Update README.md/agents.md.

Verified: all four nixosConfigurations eval; coder-thinkcentre drv unchanged;
live ISO + persistent-disk qcow2/raw eval to derivations on x86_64 and
aarch64; raw disk image full build plan resolves via nix build --dry-run.

Rename Makefile targets to a single 'appliance' namespace:
  live-ephemeral-iso     -> appliance/iso
  persistent-disk/qcow2  -> appliance/qcow2
  persistent-disk/raw    -> appliance/raw
Each keeps the optional /<arch> suffix (e.g. appliance/iso/aarch64-linux).
The underlying hosts (live, persistent-disk) and modules are unchanged; this
is target naming + docs only. Update README.md/agents.md.

Set image.baseName = coder-box-appliance (was coder-box-live) so the live
appliance ISO is emitted as coder-box-appliance-<version>-<arch>.iso. Update
the filename in the doc/comment examples too.

The live/persistent-disk hosts inherit configuration.nix's
nixpkgs.hostPlatform = lib.mkOptionDefault "x86_64-linux", so a bare
'make appliance/iso' (no /<arch> suffix) always evaluated as x86_64 even on
an aarch64 host. Pin nixpkgs.hostPlatform in the box_build helper to
builtins.currentSystem when no arch is given (--impure already set), so the
default tracks the builder's native architecture. Explicit /<arch> targets
are unchanged.

- box_build now passes --out-link out/<target> so each build plants a GC-root
  symlink under ./out (e.g. out/appliance-iso, out/appliance-raw-aarch64-linux)
  pointing straight at the store path. Native Nix, no copying; the image still
  lives in /nix/store (unavoidable) but is surfaced in the repo and won't be
  garbage-collected. ./out is gitignored.
- Name the disko disk image coder-box-appliance.{raw,qcow2} (imageName) to
  match the ISO's image.baseName.
- README: document the out/ paths and update the dd example.

Verified: --out-link creates the symlink (selftest build); persistent-disk
still evals with imageName override (resolves to coder-box-appliance).

isoName derives from image.baseName; the previous bare "coder-box-appliance"
dropped the arch upstream normally carries. Append ${hostPlatform.system} so
the file is coder-box-appliance-<arch>.iso (e.g. -x86_64-linux / -aarch64-linux),
making the arch visible and avoiding collisions between arches in ./out.

Match the ISO: set disko imageName to coder-box-appliance-<arch> so disk
images are coder-box-appliance-<arch>.{raw,qcow2} (e.g. -x86_64-linux /
-aarch64-linux). Arch is visible and the two arches don't collide in ./out.
Update README paths.

Set isoImage.appendToMenuLabel = " - Coder Box Appliance" (replaces the
default " Installer"), so both the BIOS/isolinux and EFI/grub boot entries
read 'NixOS <version> - Coder Box Appliance' instead of '... Installer'.

…s/_appliance-disk

- git mv hosts/live -> hosts/_appliance_iso, hosts/persistent-disk ->
  hosts/_appliance-disk (flake auto-discovers them as nixosConfigurations
  ._appliance_iso / ._appliance-disk).
- flake.nix derives networking.hostName from the folder name, but a leading
  underscore is an invalid hostname (must start alphanumeric), so each host now
  sets networking.hostName = mkForce "appliance-iso" / "appliance-disk".
- Update Makefile host args and README/agents.md references. Build targets
  (appliance/iso, appliance/{qcow2,raw}[/<arch>]) are unchanged.

Verified: all four nixosConfigurations eval; ISO + raw disk derivations build;
existing hosts unaffected.

- configuration.nix sets networking.hostName = mkOverride 1250 "coder-box"
  as the central default. Priority 1250 sits between mkDefault (1000) and
  mkOptionDefault (1500): it overrides nixpkgs' own mkOptionDefault "nixos"
  (which would otherwise tie and error) but still loses to flake.nix's
  folder-name mkDefault on install hosts.
- flake.nix injects the folder-name hostname only for non-underscore hosts;
  underscore-prefixed image hosts (_appliance_iso, _appliance-disk) skip it
  and inherit coder-box.
- Remove the custom hostName overrides from the appliance hosts (no longer
  set in the appliance nix files).
- coder-thinkcentre and qemu-arm64 keep their folder-name hostnames.
- Docs updated.

Verified: _appliance_iso/_appliance-disk -> coder-box; coder-thinkcentre ->
coder-thinkcentre; qemu-arm64 -> qemu-arm64; thinkcentre toplevel drv hash
unchanged; ISO + raw disk drvs build.

…rom /etc/nixos-repo)

Root cause: environment.etc."nixos-repo".source = self.outPath bakes the flake
source into the image. On a DIRTY working tree, nix copies untracked files into
self.outPath even when gitignored — including the Makefile's ./out (built images
land there) and stray *.iso/*.qcow2/*.raw. So each build embedded the previous
image into /etc/nixos-repo -> squashfs -> the next image, growing the ISO on
every rebuild (verified: a 300MB out/ file inflated self.outPath to 206MB).

Fix: wrap the baked source in lib.cleanSourceWith, filtering out out/, result,
result-*, and *.iso/*.qcow2/*.raw. The baked /etc/nixos-repo is now content-
stable regardless of build artifacts (verified: source hash unchanged when out/
grows 300MB->600MB), while still shipping the full tree (coderd/ etc.) for
nixos-rebuild / coder-reset.

Verified: baked source 5.5MB (no out/, no stray.iso, coderd/ kept); ISO + raw
disk drvs evaluate; coder-thinkcentre toplevel drv hash unchanged.