bagel-box: fix /run/wrappers not being mounted on boot

hosts/bagel-box/default.nix

@@ -1,8 +1,17 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 {
   boot.isContainer = true;
-  boot.specialFileSystems = lib.mkForce {};
+
+  # XXX: There's currently no way to remove the "problematic" entries (trying
+  # to override the /proc, /sys, /dev, ... mounts from systemd-nspawn) while
+  # also keeping the entry for the wrappers dir.
+  boot.specialFileSystems = lib.mkForce {
+    "/run/wrappers" = {
+      fsType = "tmpfs";
+      options = [ "nodev" "mode=755" "size=${config.security.wrapperDirSize}" ];
+    };
+  };
 
   boot.loader.initScript.enable = true;