diff --git a/finch.yaml b/finch.yaml
index 1ded9ee58..b72600fcb 100644
--- a/finch.yaml
+++ b/finch.yaml
@@ -149,11 +149,25 @@ provision:
   script: |
     #!/bin/bash
     sudo chown $USER /mnt/lima-finch
-    mkdir -p /mnt/lima-finch/containerd
-    mkdir -p /mnt/lima-finch/nerdctl
-    mkdir -p ~/.local/share/nerdctl
+
+    # https://github.com/containerd/nerdctl/blob/cffdf87ff4d648a5344eea1406bb95ca3ad7eaa4/extras/rootless/containerd-rootless.sh#L144-L146
+    # XDG_DATA_HOME & ~/.local/share: https://github.com/containerd/nerdctl/blob/cffdf87ff4d648a5344eea1406bb95ca3ad7eaa4/extras/rootless/containerd-rootless.sh#L51
+    mkdir -p /mnt/lima-finch/containerd ~/.local/share/containerd
     sudo mount --bind /mnt/lima-finch/containerd ~/.local/share/containerd
+
+    # https://github.com/containerd/nerdctl/blob/main/docs/dir.md#dataroot
+    mkdir -p /mnt/lima-finch/nerdctl ~/.local/share/nerdctl
     sudo mount --bind /mnt/lima-finch/nerdctl ~/.local/share/nerdctl
+
+    # https://github.com/containerd/nerdctl/blob/main/docs/dir.md#netconfpath
+    mkdir -p /mnt/lima-finch/cni-config ~/.config/cni
+    sudo mount --bind /mnt/lima-finch/cni-config ~/.config/cni
+
+    # https://github.com/containerd/nerdctl/blob/cffdf87ff4d648a5344eea1406bb95ca3ad7eaa4/extras/rootless/containerd-rootless.sh#L148-L150
+    # XDG_DATA_HOME & ~/.local/share: https://github.com/containerd/nerdctl/blob/cffdf87ff4d648a5344eea1406bb95ca3ad7eaa4/extras/rootless/containerd-rootless.sh#L51
+    mkdir -p /mnt/lima-finch/cni-local ~/.local/share/cni
+    sudo mount --bind /mnt/lima-finch/cni-local ~/.local/share/cni
+
     systemctl --user restart containerd.service
 
 # Probe scripts to check readiness.