diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index 1d6324f..401760f 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -79,10 +79,15 @@
           mkdir -p /run/user/0 && chmod 700 /run/user/0 || true
 
           # --- Compute deterministic VNC port via FNV-1a ---
-          # Agent name = hostname with leading "h-" stripped, mirroring
-          # lifecycle::agent_web_port in hive-c0re/src/lifecycle.rs.
+          # Agent name = container hostname with leading "h-" stripped,
+          # mirroring lifecycle::agent_web_port in hive-c0re/src/lifecycle.rs.
+          # Read from /etc/hostname (always present in NixOS containers)
+          # to avoid a dependency on the `hostname` binary (which lives in
+          # pkgs.inetutils, not pkgs.coreutils).
           # VNC_PORT_BASE=15900, VNC_PORT_RANGE=900 → [15900, 16799].
-          AGENT_NAME=$(${pkgs.coreutils}/bin/hostname | ${pkgs.gnused}/bin/sed 's/^h-//')
+          RAW_HOST=$(${pkgs.coreutils}/bin/cat /etc/hostname)
+          AGENT_NAME=$(${pkgs.coreutils}/bin/printf '%s' "$RAW_HOST" \
+            | ${pkgs.gnused}/bin/sed 's/^h-//')
           hash=2166136261
           for byte in $(${pkgs.coreutils}/bin/printf '%s' "$AGENT_NAME" \
               | ${pkgs.coreutils}/bin/od -An -tu1 \
@@ -99,10 +104,14 @@
           ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
             "$VNC_PORT" > /etc/hyperhive/gui.json || true
 
+          # --disable-transport-layer-security: VNC is loopback-only
+          # (relayed by the harness WebSocket proxy); TLS would require
+          # cert generation and adds no real security benefit here.
           exec ${pkgs.weston}/bin/weston \
             --backend=vnc-backend.so \
             --renderer=pixman \
-            --port="$VNC_PORT"
+            --port="$VNC_PORT" \
+            --disable-transport-layer-security
         '';
         Restart = "on-failure";
         RestartSec = "5s";