From 19caa9598c9a35fcaa6f3201d9edbcb05a612cfc Mon Sep 17 00:00:00 2001
From: Ben Potter <me@bpmct.net>
Date: Fri, 24 Apr 2026 14:12:30 +0000
Subject: [PATCH] feat(incus-vm): shared host nix-daemon for NixOS VMs via
 nix-shared profile

- Add nix-shared Incus profile on ThinkStation (bind /data/nix -> /nix)
- Apply nix-shared profile to NixOS VMs on ThinkStation
- coder.nix: disable VM nix-daemon/socket, use host daemon socket
- coder.nix: trusted-users includes workspace user
- coder.nix: override /nix/store fstab to bind from host-mounted /nix
---
 registry/bpmct/templates/incus-vm/main.tf  |  3 ++-
 registry/bpmct/templates/incus-vm/nixos.tf | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/registry/bpmct/templates/incus-vm/main.tf b/registry/bpmct/templates/incus-vm/main.tf
index 881d4a20..a6bb822e 100644
--- a/registry/bpmct/templates/incus-vm/main.tf
+++ b/registry/bpmct/templates/incus-vm/main.tf
@@ -219,7 +219,8 @@ resource "incus_instance" "dev" {
   running = data.coder_workspace.me.start_count == 1
   name    = "coder-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}"
   image   = incus_image.image.fingerprint
-  type    = "virtual-machine"
+  type     = "virtual-machine"
+  profiles = local.is_nixos && data.coder_parameter.host.value == "ThinkStation" ? ["default", "nix-shared"] : ["default"]
 
   dynamic "device" {
     for_each = local.usb_device != null ? [local.usb_device] : []
diff --git a/registry/bpmct/templates/incus-vm/nixos.tf b/registry/bpmct/templates/incus-vm/nixos.tf
index 77fd0cf7..268250f0 100644
--- a/registry/bpmct/templates/incus-vm/nixos.tf
+++ b/registry/bpmct/templates/incus-vm/nixos.tf
@@ -67,6 +67,26 @@ resource "null_resource" "provision_nixos" {
 
   security.sudo.wheelNeedsPassword = false;
 
+  # Use the shared host nix-daemon instead of running our own.
+  # The host mounts /nix (from /data/nix) into this VM via the nix-shared
+  # Incus profile, so the daemon socket is already present at
+  # /nix/var/nix/daemon-socket/socket.
+  nix.settings.trusted-users = [ "root" "$WUSER" ];
+  nix.settings.allowed-users = [ "*" ];
+
+  # Disable the VM's own nix-daemon — we use the host one.
+  systemd.services.nix-daemon.enable = lib.mkForce false;
+  systemd.sockets.nix-daemon.enable = lib.mkForce false;
+
+  # Override the default read-only bind of /nix/store from the VM's own
+  # disk partition. With the host /nix already mounted at /nix via virtio-fs,
+  # we just bind /nix/store from there (read-write so the daemon can write).
+  fileSystems."/nix/store" = lib.mkForce {
+    device = "/nix/store";
+    options = [ "bind" "rw" ];
+    depends = [ "/nix" ];
+  };
+
   systemd.services.coder-agent = {
     description = "Coder Agent";
     after = [ "network-online.target" ];