lifecycle: bind agent dir via /run/systemd/nspawn override (nixos-container lacks --bind)

hive-c0re/src/lifecycle.rs

@@ -17,11 +17,27 @@ pub fn container_name(name: &str) -> String {
 
 pub async fn spawn(name: &str, agent_flake: &str, agent_dir: &Path) -> Result<()> {
     let container = container_name(name);
-    let bind = format!("{}:{CONTAINER_RUNTIME_MOUNT}", agent_dir.display());
-    run(&["create", &container, "--flake", agent_flake, "--bind", &bind]).await?;
+    run(&["create", &container, "--flake", agent_flake]).await?;
+    write_nspawn_override(&container, agent_dir)?;
     run(&["start", &container]).await
 }
 
+/// `nixos-container` in this stack doesn't expose `--bind`, so we drop a
+/// `.nspawn` override that systemd-nspawn picks up at start time.
+fn write_nspawn_override(container: &str, agent_dir: &Path) -> Result<()> {
+    const NSPAWN_DIR: &str = "/run/systemd/nspawn";
+    std::fs::create_dir_all(NSPAWN_DIR)
+        .with_context(|| format!("create {NSPAWN_DIR}"))?;
+    let path = format!("{NSPAWN_DIR}/{container}.nspawn");
+    let content = format!(
+        "[Files]\nBind={}:{CONTAINER_RUNTIME_MOUNT}\n",
+        agent_dir.display()
+    );
+    std::fs::write(&path, content).with_context(|| format!("write {path}"))?;
+    tracing::info!(%path, "wrote nspawn bind override");
+    Ok(())
+}
+
 pub async fn kill(name: &str) -> Result<()> {
     let container = container_name(name);
     run(&["stop", &container]).await