diff --git a/pkgs/mk-nspawn-setup/setup-nspawn.sh b/pkgs/mk-nspawn-setup/setup-nspawn.sh
index 6295fc6..10d6b1b 100644
--- a/pkgs/mk-nspawn-setup/setup-nspawn.sh
+++ b/pkgs/mk-nspawn-setup/setup-nspawn.sh
@@ -28,6 +28,20 @@ machinectl remove "$NSPAWN_NAME" || true # TODO: is this interactive?
 #machinectl pull-tar "https://github.com/tfc/nspawn-nixos/releases/download/v1.0/nixos-system-x86_64-linux.tar.xz" "$NSPAWN_NAME" --verify=no
 machinectl import-tar "$TARBALL" "$NSPAWN_NAME"
 
+# TODO: get sandbox working
+# https://wiki.archlinux.org/index.php?title=Systemd-nspawn&oldid=703843#Run_docker_in_systemd-nspawn
+#[Files]
+#Bind=/sys/fs/cgroup
+#Bind=/proc
+#[Exec]
+#Capability=all
+#SystemCallFilter=@known @priviledged
+#SystemCallFilter=add_key keyctl bpf
+#Parameters=systemd.legacy_systemd_cgroup_controller=yes
+#Parameters=systemd.unified_cgroup_hierarchy=0
+#PrivateUsers=no
+#PrivateUsersOwnership=no
+
 # use host network
 mkdir -p /etc/systemd/nspawn
 tee /etc/systemd/nspawn/"$NSPAWN_NAME".nspawn <<"EOF"