From 377eb994a18bed5de12387c1220248b725db84b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?m=C3=BCde?= <git@darkest.space>
Date: Thu, 14 May 2026 22:06:27 +0200
Subject: [PATCH] lifecycle: bind via EXTRA_NSPAWN_FLAGS in
 /etc/nixos-containers/<name>.conf

---
 hive-c0re/src/lifecycle.rs | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/hive-c0re/src/lifecycle.rs b/hive-c0re/src/lifecycle.rs
index 06453d8..f8e4f1e 100644
--- a/hive-c0re/src/lifecycle.rs
+++ b/hive-c0re/src/lifecycle.rs
@@ -37,23 +37,23 @@ pub async fn spawn(name: &str, agent_flake: &str, agent_dir: &Path) -> Result<()
     validate(name)?;
     let container = container_name(name);
     run(&["create", &container, "--flake", agent_flake]).await?;
-    write_nspawn_override(&container, agent_dir)?;
+    append_bind_flag(&container, agent_dir)?;
     run(&["start", &container]).await
 }
 
-/// `nixos-container` in this stack doesn't expose `--bind`, so we drop a
-/// `.nspawn` override that systemd-nspawn picks up at start time.
-fn write_nspawn_override(container: &str, agent_dir: &Path) -> Result<()> {
-    const NSPAWN_DIR: &str = "/run/systemd/nspawn";
-    std::fs::create_dir_all(NSPAWN_DIR)
-        .with_context(|| format!("create {NSPAWN_DIR}"))?;
-    let path = format!("{NSPAWN_DIR}/{container}.nspawn");
-    let content = format!(
-        "[Files]\nBind={}:{CONTAINER_RUNTIME_MOUNT}\n",
+/// `nixos-container` doesn't expose `--bind` on the CLI, but its start script
+/// expands `$EXTRA_NSPAWN_FLAGS` (from `/etc/nixos-containers/<name>.conf`)
+/// unquoted into the `systemd-nspawn` invocation. Append a `--bind` flag there.
+fn append_bind_flag(container: &str, agent_dir: &Path) -> Result<()> {
+    let path = format!("/etc/nixos-containers/{container}.conf");
+    let line = format!(
+        "\nEXTRA_NSPAWN_FLAGS=\"--bind={}:{CONTAINER_RUNTIME_MOUNT}\"\n",
         agent_dir.display()
     );
+    let mut content = std::fs::read_to_string(&path).with_context(|| format!("read {path}"))?;
+    content.push_str(&line);
     std::fs::write(&path, content).with_context(|| format!("write {path}"))?;
-    tracing::info!(%path, "wrote nspawn bind override");
+    tracing::info!(%path, "appended EXTRA_NSPAWN_FLAGS for bind mount");
     Ok(())
 }