diff --git a/nix/templates/harness-base.nix b/nix/templates/harness-base.nix
index 11731be..01ec86b 100644
--- a/nix/templates/harness-base.nix
+++ b/nix/templates/harness-base.nix
@@ -393,10 +393,10 @@
                 # tea reads config from ~/.config/tea/config.yml (for root: /root/.config/tea/config.yml).
                 # Write it directly so we control default:true and always
                 # refresh a rotated token — no 'tea login add' interactive dance.
-                # Use getent to resolve root's home dir rather than $HOME which
-                # is unset in systemd service context (causing writes to /.config/).
-                _HOME=$(getent passwd root | cut -d: -f6)
-                CONFIG="$_HOME/.config/tea/config.yml"
+                # $HOME is unset in systemd service context (causing writes to
+                # /.config/). Hardcode /root — always correct for NixOS containers
+                # where the harness runs as root.
+                CONFIG="/root/.config/tea/config.yml"
                 mkdir -p "$(dirname "$CONFIG")" || true
                 cat > "$CONFIG" << EOF
         logins: