diff --git a/common/default.nix b/common/default.nix
index 62e5071..1ed7038 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -96,7 +96,7 @@
     { groups = [ "wheel" ]; persist = true; }
   ];
 
-  nix.gc.automatic = true;
+  nix.gc.automatic = !config.boot.isContainer;
 
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "zuckerberg@neet.dev";
diff --git a/common/sandboxed-workspace/vm.nix b/common/sandboxed-workspace/vm.nix
index cf2ac27..3710a97 100644
--- a/common/sandboxed-workspace/vm.nix
+++ b/common/sandboxed-workspace/vm.nix
@@ -133,8 +133,15 @@ let
   };
 in
 {
-  config = mkIf (cfg.enable && vmWorkspaces != { }) {
-    # Convert VM workspace configs to microvm.nix format
-    microvm.vms = mapAttrs mkVmConfig vmWorkspaces;
-  };
+  config = mkMerge [
+    (mkIf (cfg.enable && vmWorkspaces != { }) {
+      # Convert VM workspace configs to microvm.nix format
+      microvm.vms = mapAttrs mkVmConfig vmWorkspaces;
+    })
+
+    # microvm.nixosModules.host enables KSM, but /sys is read-only in containers
+    (mkIf config.boot.isContainer {
+      hardware.ksm.enable = false;
+    })
+  ];
 }