lifecycle: bind via EXTRA_NSPAWN_FLAGS in /etc/nixos-containers/<name>.conf

2026-05-14 22:06:27 +02:00 · 2026-05-14 22:06:27 +02:00 · 377eb994a1
commit 377eb994a1
parent 326da5a7bf
1 changed files with 11 additions and 11 deletions
--- a/hive-c0re/src/lifecycle.rs
+++ b/hive-c0re/src/lifecycle.rs
@ -37,23 +37,23 @@ pub async fn spawn(name: &str, agent_flake: &str, agent_dir: &Path) -> Result<()
    validate(name)?;
    let container = container_name(name);
    run(&["create", &container, "--flake", agent_flake]).await?;
-    write_nspawn_override(&container, agent_dir)?;
+    append_bind_flag(&container, agent_dir)?;
    run(&["start", &container]).await
 }
-/// `nixos-container` in this stack doesn't expose `--bind`, so we drop a
+/// `nixos-container` doesn't expose `--bind` on the CLI, but its start script
-/// `.nspawn` override that systemd-nspawn picks up at start time.
+/// expands `$EXTRA_NSPAWN_FLAGS` (from `/etc/nixos-containers/<name>.conf`)
-fn write_nspawn_override(container: &str, agent_dir: &Path) -> Result<()> {
+/// unquoted into the `systemd-nspawn` invocation. Append a `--bind` flag there.
-    const NSPAWN_DIR: &str = "/run/systemd/nspawn";
+fn append_bind_flag(container: &str, agent_dir: &Path) -> Result<()> {
-    std::fs::create_dir_all(NSPAWN_DIR)
+    let path = format!("/etc/nixos-containers/{container}.conf");
-        .with_context(|| format!("create {NSPAWN_DIR}"))?;
+    let line = format!(
-    let path = format!("{NSPAWN_DIR}/{container}.nspawn");
+        "\nEXTRA_NSPAWN_FLAGS=\"--bind={}:{CONTAINER_RUNTIME_MOUNT}\"\n",
    let content = format!(
        "[Files]\nBind={}:{CONTAINER_RUNTIME_MOUNT}\n",
        agent_dir.display()
    );
    let mut content = std::fs::read_to_string(&path).with_context(|| format!("read {path}"))?;
    content.push_str(&line);
    std::fs::write(&path, content).with_context(|| format!("write {path}"))?;
-    tracing::info!(%path, "wrote nspawn bind override");
+    tracing::info!(%path, "appended EXTRA_NSPAWN_FLAGS for bind mount");
    Ok(())
 }