From 7ce0f0022f67a7cffd6358b36529d6cc9de24303 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?m=C3=BCde?= <git@darkest.space>
Date: Thu, 14 May 2026 21:52:17 +0200
Subject: [PATCH] lifecycle: bind agent dir via /run/systemd/nspawn override
 (nixos-container lacks --bind)

---
 hive-c0re/src/lifecycle.rs | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/hive-c0re/src/lifecycle.rs b/hive-c0re/src/lifecycle.rs
index 8d7cddc..20d51f6 100644
--- a/hive-c0re/src/lifecycle.rs
+++ b/hive-c0re/src/lifecycle.rs
@@ -17,11 +17,27 @@ pub fn container_name(name: &str) -> String {
 
 pub async fn spawn(name: &str, agent_flake: &str, agent_dir: &Path) -> Result<()> {
     let container = container_name(name);
-    let bind = format!("{}:{CONTAINER_RUNTIME_MOUNT}", agent_dir.display());
-    run(&["create", &container, "--flake", agent_flake, "--bind", &bind]).await?;
+    run(&["create", &container, "--flake", agent_flake]).await?;
+    write_nspawn_override(&container, agent_dir)?;
     run(&["start", &container]).await
 }
 
+/// `nixos-container` in this stack doesn't expose `--bind`, so we drop a
+/// `.nspawn` override that systemd-nspawn picks up at start time.
+fn write_nspawn_override(container: &str, agent_dir: &Path) -> Result<()> {
+    const NSPAWN_DIR: &str = "/run/systemd/nspawn";
+    std::fs::create_dir_all(NSPAWN_DIR)
+        .with_context(|| format!("create {NSPAWN_DIR}"))?;
+    let path = format!("{NSPAWN_DIR}/{container}.nspawn");
+    let content = format!(
+        "[Files]\nBind={}:{CONTAINER_RUNTIME_MOUNT}\n",
+        agent_dir.display()
+    );
+    std::fs::write(&path, content).with_context(|| format!("write {path}"))?;
+    tracing::info!(%path, "wrote nspawn bind override");
+    Ok(())
+}
+
 pub async fn kill(name: &str) -> Result<()> {
     let container = container_name(name);
     run(&["stop", &container]).await