diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0a95d183..4e15d5e3 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
 @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
 
 # Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/{nix/store/*/,}{,usr/}bin
+@{lib}=/{nix/store/*/,/run/wrappers,}{,usr/}lib{,exec,32,64}
 
 # Common places for temporary files
 @{tmp}=/tmp/ /tmp/user/@{uid}/
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 3f2dd9f4..39a8b64a 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -37,7 +37,7 @@ func init() {
 
 	// Compatibility with AppArmor 3
 	switch prebuild.Distribution {
-	case "arch":
+	case "arch", "nixos":
 
 	case "ubuntu":
 		if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index a887d4b9..eb0cc2ef 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -33,13 +33,13 @@ func DefaultTunables() *AppArmorProfileFile {
 	return &AppArmorProfileFile{
 		Preamble: Rules{
 			&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
-			&Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+			&Variable{Name: "bin", Values: []string{"/{nix/store/*/,/run/wrappers,}{,usr/}{,s}bin"}, Define: true},
 			&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
 			&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
 			&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
 			&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
 			&Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true},
-			&Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
+			&Variable{Name: "lib", Values: []string{"/{nix/store/*/,}{,usr/}lib{,exec,32,64}"}, Define: true},
 			&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
 			&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
 			&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 4b8e11ec..11eab5f7 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) {
 	res := []string{}
 
 	switch prebuild.Distribution {
-	case "arch", "opensuse":
+	case "arch", "opensuse", "nixos":
 
 	case "ubuntu":
 		if err := prebuild.DebianHide.Init(); err != nil {