diff --git a/scripts/codex-setup.sh b/scripts/codex-setup.sh
index 93a9afa..ad78490 100644
--- a/scripts/codex-setup.sh
+++ b/scripts/codex-setup.sh
@@ -7,12 +7,58 @@ accept-flake-config = false
 warn-dirty = false
 "
 
-if ! command -v nix >/dev/null 2>&1; then
-  echo "Installing Nix in single-user mode..."
-  sh <(curl -L https://nixos.org/nix/install) --no-daemon
-  # shellcheck disable=SC1090
-  . "$HOME/.nix-profile/etc/profile.d/nix.sh"
-fi
+ensure_nix_profile() {
+  if [ -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+  elif [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
+    . "$HOME/.nix-profile/etc/profile.d/nix.sh"
+  fi
+}
+
+install_nix_if_missing() {
+  if command -v nix >/dev/null 2>&1; then
+    return
+  fi
+
+  echo "Nix not found. Installing Nix..."
+
+  if [ "$(id -u)" -eq 0 ]; then
+    echo "Running as root; preparing nixbld users for container/Codex environment..."
+
+    if ! getent group nixbld >/dev/null; then
+      groupadd -r nixbld
+    fi
+
+    for i in $(seq 1 10); do
+      if ! id "nixbld$i" >/dev/null 2>&1; then
+        useradd \
+          -r \
+          -g nixbld \
+          -G nixbld \
+          -d /var/empty \
+          -s /usr/sbin/nologin \
+          "nixbld$i" || true
+      fi
+    done
+
+    mkdir -p /etc/nix
+    cat > /etc/nix/nix.conf <<'EOF'
+experimental-features = nix-command flakes
+accept-flake-config = false
+warn-dirty = false
+build-users-group = nixbld
+EOF
+
+    sh <(curl -L https://nixos.org/nix/install) --no-daemon
+  else
+    sh <(curl -L https://nixos.org/nix/install) --no-daemon
+  fi
+
+  ensure_nix_profile
+}
+
+install_nix_if_missing
+ensure_nix_profile
 
 mkdir -p "$HOME/.config/nix"
 cat > "$HOME/.config/nix/nix.conf" <<'EOF'
@@ -24,11 +70,17 @@ EOF
 echo "Nix version:"
 nix --version
 
+echo "Installing jq if unavailable..."
+if ! command -v jq >/dev/null 2>&1; then
+  nix profile install nixpkgs#jq
+fi
+
 echo "Available NixOS hosts:"
-nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]'
+hosts="$(nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]')"
+echo "$hosts"
 
 echo "Evaluating all host toplevel derivations..."
-for host in $(nix eval --json --no-accept-flake-config .#nixosConfigurations --apply builtins.attrNames | jq -r '.[]'); do
+for host in $hosts; do
   echo "==> Evaluating $host"
   nix eval --raw --no-accept-flake-config ".#nixosConfigurations.${host}.config.system.build.toplevel.drvPath"
 done