From 6974634326fd0aa7adc1d7ca0064c85309d43647 Mon Sep 17 00:00:00 2001
From: damocles <damocles@hyperhive>
Date: Thu, 21 May 2026 21:27:09 +0200
Subject: [PATCH] harness: set sandbox-fallback = true to fix nix builds in
 containers (fixes #196)

---
 nix/templates/harness-base.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/nix/templates/harness-base.nix b/nix/templates/harness-base.nix
index 359adc3..62fa305 100644
--- a/nix/templates/harness-base.nix
+++ b/nix/templates/harness-base.nix
@@ -347,6 +347,14 @@
       "flakes"
     ];
 
+    # Containers bind-mount the host's nix-daemon socket. The host daemon
+    # may be configured with remote builders or strict sandbox settings
+    # (sandbox-fallback = false) that make local `nix build` invocations
+    # fail inside the container. Enable sandbox-fallback so builds that
+    # can't set up the sandbox (no user-namespaces in nspawn) fall back
+    # to unsandboxed local builds rather than failing outright.
+    nix.settings.sandbox-fallback = true;
+
     # `claude-code` is unfree. Each per-agent container's nixosConfiguration
     # evaluates its own `nixpkgs` instance, so the operator's host-level
     # `nixpkgs.config.allowUnfreePredicate` does not propagate into here —