diff --git a/home/scripts/lxc/lab-create.sh b/home/scripts/lxc/lab-create.sh
index caef912..d8abe80 100644
--- a/home/scripts/lxc/lab-create.sh
+++ b/home/scripts/lxc/lab-create.sh
@@ -17,7 +17,7 @@ lxc-create -n "$CONTAINER" -f /etc/lxc/default.conf -t download -- -d ubuntu -r
 
 # write resolv.conf into rootfs before boot
 mkdir -p "/var/lib/lxc/${CONTAINER}/rootfs/etc"
-rm -f "/var/lib/lxc/${CONTAINER}/rootfs/etc/resolv.conf"  # remove if symlink
+rm -f "/var/lib/lxc/${CONTAINER}/rootfs/etc/resolv.conf"
 echo "nameserver 8.8.8.8" > "/var/lib/lxc/${CONTAINER}/rootfs/etc/resolv.conf"
 
 # assign static IP via LXC config (host-side, always works)
@@ -27,9 +27,6 @@ lxc.net.0.ipv4.gateway = 10.100.0.1
 lxc.start.auto = 1
 EOF
 
-# write resolv.conf into rootfs before boot
-# echo "nameserver 8.8.8.8" > "/var/lib/lxc/${CONTAINER}/rootfs/etc/resolv.conf"
-
 # disable any in-container networking that might fight us
 rm -f "/var/lib/lxc/${CONTAINER}/rootfs/etc/netplan/"*.yaml 2>/dev/null || true
 mkdir -p "/var/lib/lxc/${CONTAINER}/rootfs/etc/netplan"
@@ -46,10 +43,20 @@ EOF
 lxc-start -n "$CONTAINER"
 sleep 5
 
-# install SSH, inject key
+# install SSH + VSCode Remote prerequisites
 lxc-attach --clear-env -n "$CONTAINER" -- /bin/bash -c "
   export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-  apt-get update && apt-get install -y openssh-server
+  apt-get update && apt-get install -y \
+    openssh-server \
+    curl wget ca-certificates \
+    git \
+    tar gzip \
+    procps \
+    locales
+  # generate a UTF-8 locale (VSCode expects this)
+  sed -i 's/# en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen
+  locale-gen
+  # SSH config
   mkdir -p /root/.ssh
   chmod 700 /root/.ssh
   sed -i 's/#PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
@@ -64,8 +71,6 @@ cat "$KEYFILE" | lxc-attach --clear-env -n "$CONTAINER" -- /bin/bash -c "
 "
 
 # create host user
-# useradd -m -s /bin/bash -G labmates "$USER" 2>/dev/null || true
-# useradd -m -s /bin/bash -G labmates -U "$USER" 2>/dev/null || true
 useradd -m -s /run/current-system/sw/bin/bash -G labmates -U "$USER" 2>/dev/null || true
 mkdir -p "/home/${USER}/.ssh"
 cp "$KEYFILE" "/home/${USER}/.ssh/authorized_keys"
diff --git a/home/scripts/lxc/lxc-login.sh b/home/scripts/lxc/lxc-login.sh
index 7f85b98..3d8add6 100644
--- a/home/scripts/lxc/lxc-login.sh
+++ b/home/scripts/lxc/lxc-login.sh
@@ -1,5 +1,4 @@
 #!/usr/bin/env bash
-# CONTAINER=$(cat "/home/${USER}/.lxc-container" 2>/dev/null)
 CONTAINER=$(cat "/home/$(whoami)/.lxc-container" 2>/dev/null)
 
 if [[ -z "$CONTAINER" ]]; then
@@ -10,8 +9,28 @@ fi
 # ensure running
 lxc-start -n "$CONTAINER" 2>/dev/null || true
 
+# --- build env flags to forward into the container ---
+ENV_ARGS=()
+ENV_ARGS+=(--keep-env)  # start from the SSH session env instead of wiping it
+
+# always override these inside the container
+ENV_ARGS+=(-v "HOME=/root")
+ENV_ARGS+=(-v "USER=root")
+ENV_ARGS+=(-v "SHELL=/bin/bash")
+ENV_ARGS+=(-v "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")
+
+# forward TERM (fixes color/ncurses)
+[[ -n "$TERM" ]]      && ENV_ARGS+=(-v "TERM=$TERM")
+# forward locale
+[[ -n "$LANG" ]]      && ENV_ARGS+=(-v "LANG=$LANG")
+[[ -n "$LC_ALL" ]]    && ENV_ARGS+=(-v "LC_ALL=$LC_ALL")
+# forward COLORTERM (used by modern terminals & vscode)
+[[ -n "$COLORTERM" ]] && ENV_ARGS+=(-v "COLORTERM=$COLORTERM")
+
 if [[ -n "$SSH_ORIGINAL_COMMAND" ]]; then
-  exec sudo lxc-attach --clear-env -n "$CONTAINER" -- /bin/bash -c "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; $SSH_ORIGINAL_COMMAND"
+  exec sudo lxc-attach "${ENV_ARGS[@]}" -n "$CONTAINER" -- \
+    /bin/bash -lc "$SSH_ORIGINAL_COMMAND"
 else
-  exec sudo lxc-attach --clear-env -n "$CONTAINER" -- /bin/login -f root
+  exec sudo lxc-attach "${ENV_ARGS[@]}" -n "$CONTAINER" -- \
+    /bin/login -f root
 fi
diff --git a/system/lxc.nix b/system/lxc.nix
index 2546276..b8c0623 100644
--- a/system/lxc.nix
+++ b/system/lxc.nix
@@ -1,4 +1,3 @@
-# system/lxc.nix
 { config, pkgs, ... }: {
   virtualisation.lxc = {
     enable = true;
@@ -10,6 +9,7 @@
     commands = [
       { command = "/run/current-system/sw/bin/lxc-attach"; options = [ "NOPASSWD" ]; }
       { command = "/run/current-system/sw/bin/lxc-start"; options = [ "NOPASSWD" ]; }
+      { command = "/run/current-system/sw/bin/lxc-info"; options = [ "NOPASSWD" ]; }
     ];
   }];
 
@@ -84,12 +84,13 @@
 
   environment.systemPackages = with pkgs; [
     lxc
-    # lxc-templates
     wget
     gnupg
     debootstrap
     bridge-utils
-    (writeShellScriptBin "lxc-login" (builtins.readFile ../home/scripts/lxc/lxc-login.sh))
+    (writeShellScriptBin "lxc-login"  (builtins.readFile ../home/scripts/lxc/lxc-login.sh))
+    (writeShellScriptBin "lab-mount"  (builtins.readFile ../home/scripts/lxc/lab-mount.sh))
+    (writeShellScriptBin "lab-addkey" (builtins.readFile ../home/scripts/lxc/lab-addkey.sh))
   ];
 
   environment.etc."lxc/default.conf".text = ''
@@ -103,3 +104,4 @@
   environment.etc."local/bin/lxc-login".source = ../home/scripts/lxc/lxc-login.sh;
   environment.etc."local/bin/lxc-login".mode = "0755";
 }
+