fix damocles cgroup broken after sleep with network switch

nixosConfigurations/damocles/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, self, ... }:
+{ pkgs, lib, self, ... }:
 {
   imports = [ ./android-dev.nix ];
 
@@ -6,6 +6,12 @@
 
   boot.isContainer = true;
 
+  # Container shares host network namespace (privateNetwork = false), so the
+  # host's tailscale already covers this. Running a second tailscaled in the
+  # same netns fights over routing and breaks connectivity after sleep/wake.
+  services.tailscale.enable = lib.mkForce false;
+  networking.firewall.checkReversePath = lib.mkForce "strict";
+
   allowedUnfreePackages = [ "claude-code" ];
 
   environment.systemPackages = with pkgs; [

nixosConfigurations/muede-lpt2/default.nix

@@ -69,7 +69,12 @@
 
     # Global DefaultTimeoutStopSec is 10s (modern-desktop.nix), which kills systemd-nspawn
     # before it finishes halting, leaving cgroups busy and breaking restarts.
-    systemd.services."container@damocles".serviceConfig.TimeoutStopSec = "60s";
+    systemd.services."container@damocles".serviceConfig = {
+      TimeoutStopSec = "60s";
+      # After a SIGKILL of nspawn, the kernel needs a moment to reap its cgroups.
+      # Without this, the immediate restart attempt fails with "Device or resource busy".
+      RestartSec = "5s";
+    };
 
     boot.enableContainers = true;
     virtualisation.containers.enable = true;