ethannortharc · ethannortharc · Mar 11, 2026 · Mar 11, 2026
diff --git a/nix/devbox-module.nix b/nix/devbox-module.nix
@@ -47,6 +47,13 @@ in {
     ++ (lib.optionals (langs.ruby or false) devboxSets.lang_ruby);
 
   # ── Services ───────────────────────────────────────
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
   virtualisation.docker.enable = lib.mkDefault (sets.container or false);
   services.tailscale.enable = lib.mkDefault (sets.network or false);
 

diff --git a/src/cli/code.rs b/src/cli/code.rs
@@ -104,11 +104,11 @@ async fn open_via_incus(
 
     let ip = extract_incus_ip(&result.stdout)?;
 
-    // Detect actual username in the VM
+    // Detect actual username in the VM (filter to /home/ users to skip nixbld*)
     let uid_result = run_cmd(
         "incus",
         &["exec", vm_name, "--", "bash", "-lc",
-          "awk -F: '$3 >= 1000 && $3 < 65534 { print $1; exit }' /etc/passwd"],
+          "awk -F: '$3 >= 1000 && $3 < 65534 && $6 ~ /^\\/home\\// { print $1; exit }' /etc/passwd"],
     ).await?;
     let username = uid_result.stdout.trim();
     let username = if username.is_empty() { "dev" } else { username };

diff --git a/src/sandbox/mod.rs b/src/sandbox/mod.rs
@@ -318,25 +318,25 @@ impl SandboxManager {
         let layout_path = format!("/tmp/devbox-layout-{effective_layout}.kdl");
         let session_name = format!("devbox-{name}");
 
-        // Always clean up dead sessions first, then check for alive ones.
-        // `zellij delete-all-sessions` removes only dead (EXITED) sessions.
-        // Use bash -lc for NixOS PATH compatibility.
+        // Clean up dead sessions and check for live ones.
+        // Must run as the non-root user because Zellij sessions are per-user.
+        // On Incus, exec_cmd runs as root which can't see the user's sessions.
         let _ = runtime
-            .exec_cmd(name, &["bash", "-lc", "zellij delete-all-sessions -y"], false)
+            .exec_as_user(name, &["bash", "-lc", "zellij delete-all-sessions -y 2>/dev/null; true"])
             .await;
 
         if force_new_session {
             // Kill the live session so we can start fresh
             let kill_cmd = format!("zellij kill-session {session_name} 2>/dev/null; true");
             let _ = runtime
-                .exec_cmd(name, &["bash", "-lc", &kill_cmd], false)
+                .exec_as_user(name, &["bash", "-lc", &kill_cmd])
                 .await;
         }
 
-        // Check if a live session exists
+        // Check if a live session exists (must run as user to see user sessions)
         let list_cmd = format!("zellij list-sessions 2>/dev/null | grep -q '{session_name}'");
         let session_alive = runtime
-            .exec_cmd(name, &["bash", "-lc", &list_cmd], false)
+            .exec_as_user(name, &["bash", "-lc", &list_cmd])
             .await
             .map(|r| r.exit_code == 0)
             .unwrap_or(false);

diff --git a/src/sandbox/provision.rs b/src/sandbox/provision.rs
@@ -269,10 +269,7 @@ pub async fn post_cache_setup(
 ) -> Result<()> {
     let username = whoami();
 
-    // Wait for VM to be reachable
-    wait_for_network(runtime, name).await?;
-
-    // Detect VM user/home
+    // Detect VM user/home (no network needed — just reading /etc/passwd)
     let vm_user = detect_vm_username(runtime, name).await;
     let vm_home = detect_vm_home(runtime, name, &vm_user).await;