diff --git a/hive-c0re/src/forge.rs b/hive-c0re/src/forge.rs
index 3014dce..d969776 100644
--- a/hive-c0re/src/forge.rs
+++ b/hive-c0re/src/forge.rs
@@ -66,7 +66,26 @@ async fn forge_admin(args: &[&str]) -> Result<String> {
     // `runuser` (util-linux, always present in a NixOS container)
     // beats `sudo` here — sudo isn't installed unless `security.sudo`
     // is enabled, and we don't want to depend on that.
-    cmd.args(["run", FORGE_CONTAINER, "--", "runuser", "-u", "forgejo", "--", "forgejo", "admin"]);
+    //
+    // `--work-path` is mandatory: without it, the admin CLI defaults
+    // WorkPath to `dirname(executable)` (a RO nix-store path), then
+    // looks for `<WorkPath>/custom/conf/app.ini` which doesn't
+    // exist, falls back to defaults, and F3 init tries to mkdir
+    // under the nix store and fatals. The systemd unit sets
+    // WORK_PATH for the daemon; we mirror it here for the CLI.
+    cmd.args([
+        "run",
+        FORGE_CONTAINER,
+        "--",
+        "runuser",
+        "-u",
+        "forgejo",
+        "--",
+        "forgejo",
+        "--work-path",
+        "/var/lib/forgejo",
+        "admin",
+    ]);
     cmd.args(args);
     let out = cmd
         .output()