diff --git a/nixos/default.nix b/nixos/default.nix
index 3c0f982..2944e04 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -7,7 +7,8 @@ in
 {
   imports = [ (import ./networks args) (import ./vms args) ];
 
-  config.nix.settings.sandbox = "relaxed"; # for vm customize to work properly
+  # only relax sandbox on hosts that actually define VM namespaces
+  config.nix.settings.sandbox = mkIf (config.vmix.namespaces != {}) "relaxed";
 
   options.vmix.namespaces = mkOption {
     type = types.attrsOf