From f5d2ebeaeccc334b8763b6dd30276a7603c1e971 Mon Sep 17 00:00:00 2001
From: Christoffer Martinsson <cm@cmtec.se>
Date: Sat, 25 Oct 2025 01:37:21 +0200
Subject: [PATCH] Add --no-sandbox flag to nixos-rebuild command

Fixes kernel namespace sandboxing issues when running as systemd service.
The --no-sandbox flag disables Nix build sandboxing which requires
kernel namespaces not available in restricted service environments.
---
 agent/src/agent.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/agent/src/agent.rs b/agent/src/agent.rs
index 920c814..b877193 100644
--- a/agent/src/agent.rs
+++ b/agent/src/agent.rs
@@ -302,6 +302,7 @@ impl Agent {
             tokio::process::Command::new("sudo")
                 .arg("/run/current-system/sw/bin/nixos-rebuild")
                 .arg("switch")
+                .arg("--no-sandbox")
                 .arg("--flake")
                 .arg(".")
                 .current_dir(working_dir)