lifecycle: bind via EXTRA_NSPAWN_FLAGS in /etc/nixos-containers/<name>.conf

hive-c0re/src/lifecycle.rs

@@ -37,23 +37,23 @@ pub async fn spawn(name: &str, agent_flake: &str, agent_dir: &Path) -> Result<()
     validate(name)?;
     let container = container_name(name);
     run(&["create", &container, "--flake", agent_flake]).await?;
-    write_nspawn_override(&container, agent_dir)?;
+    append_bind_flag(&container, agent_dir)?;
     run(&["start", &container]).await
 }
 
-/// `nixos-container` in this stack doesn't expose `--bind`, so we drop a
-/// `.nspawn` override that systemd-nspawn picks up at start time.
-fn write_nspawn_override(container: &str, agent_dir: &Path) -> Result<()> {
-    const NSPAWN_DIR: &str = "/run/systemd/nspawn";
-    std::fs::create_dir_all(NSPAWN_DIR)
-        .with_context(|| format!("create {NSPAWN_DIR}"))?;
-    let path = format!("{NSPAWN_DIR}/{container}.nspawn");
-    let content = format!(
-        "[Files]\nBind={}:{CONTAINER_RUNTIME_MOUNT}\n",
+/// `nixos-container` doesn't expose `--bind` on the CLI, but its start script
+/// expands `$EXTRA_NSPAWN_FLAGS` (from `/etc/nixos-containers/<name>.conf`)
+/// unquoted into the `systemd-nspawn` invocation. Append a `--bind` flag there.
+fn append_bind_flag(container: &str, agent_dir: &Path) -> Result<()> {
+    let path = format!("/etc/nixos-containers/{container}.conf");
+    let line = format!(
+        "\nEXTRA_NSPAWN_FLAGS=\"--bind={}:{CONTAINER_RUNTIME_MOUNT}\"\n",
         agent_dir.display()
     );
+    let mut content = std::fs::read_to_string(&path).with_context(|| format!("read {path}"))?;
+    content.push_str(&line);
     std::fs::write(&path, content).with_context(|| format!("write {path}"))?;
-    tracing::info!(%path, "wrote nspawn bind override");
+    tracing::info!(%path, "appended EXTRA_NSPAWN_FLAGS for bind mount");
     Ok(())
 }