Improve nix settings for sandboxed workspaces

common/sandboxed-workspace/base.nix

@@ -114,6 +114,7 @@ in
 
   # Enable flakes
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.trusted-users = [ "googlebot" ];
 
   # Make nixpkgs available in NIX_PATH and registry (like the NixOS ISO)
   # This allows `nix-shell -p`, `nix repl '<nixpkgs>'`, etc. to work

common/sandboxed-workspace/incus.nix

@@ -32,6 +32,9 @@ let
             networking.useHostResolvConf = false;
             nixpkgs.config.allowUnfree = true;
 
+            # Incus containers don't support the kernel features nix sandbox requires
+            nix.settings.sandbox = false;
+
             environment.systemPackages = [
               (lib.hiPrio (pkgs.writeShellScriptBin "claude" ''
                 exec ${pkgs.claude-code}/bin/claude --dangerously-skip-permissions "$@"