Prevent containers from running non-container services

common/default.nix

@@ -102,5 +102,5 @@
   security.acme.defaults.email = "zuckerberg@neet.dev";
 
   # Enable Desktop Environment if this is a PC (machine role is "personal")
-  de.enable = lib.mkDefault (config.thisMachine.hasRole."personal");
+  de.enable = lib.mkDefault (config.thisMachine.hasRole."personal" && !config.boot.isContainer);
 }

common/nix-builder.nix

@@ -12,7 +12,7 @@ let
 in
 lib.mkMerge [
   # configure builder
-  (lib.mkIf thisMachineIsABuilder {
+  (lib.mkIf (thisMachineIsABuilder && !config.boot.isContainer) {
     users.users.${builderUserName} = {
       description = "Distributed Nix Build User";
       group = builderUserName;

common/server/atticd.nix

@@ -1,7 +1,7 @@
 { config, lib, ... }:
 
 {
-  config = lib.mkIf (config.thisMachine.hasRole."binary-cache") {
+  config = lib.mkIf (config.thisMachine.hasRole."binary-cache" && !config.boot.isContainer) {
     services.atticd = {
       enable = true;
       environmentFile = config.age.secrets.atticd-credentials.path;