diff --git a/doc/installation.rst b/doc/installation.rst
index 6ea85482..850cae74 100644
--- a/doc/installation.rst
+++ b/doc/installation.rst
@@ -193,7 +193,7 @@ dependencies as validated versions are already bundled into a container image
 by the Nextstrain team.
 
 Run ``nextstrain setup singularity`` to get started.
-Singularity version 2.6.0 or newer is required.
+Singularity version 3.0.0 or newer is required.
 
 Note that the Singularity project forked into two separate projects in late
 2021: `SingularityCE`_ under `Sylabs`_ and `Apptainer`_ under the `Linux
diff --git a/nextstrain/cli/runner/singularity.py b/nextstrain/cli/runner/singularity.py
index 5f6d74a1..e92153f5 100644
--- a/nextstrain/cli/runner/singularity.py
+++ b/nextstrain/cli/runner/singularity.py
@@ -43,7 +43,7 @@
              or "docker://nextstrain/base"
 
 
-SINGULARITY_MINIMUM_VERSION = "2.6.0"
+SINGULARITY_MINIMUM_VERSION = "3.0.0"
 
 SINGULARITY_CONFIG_ENV = {
     # Store image caches in our runtime root instead of ~/.singularity/…
@@ -89,7 +89,29 @@
     # ¹ <https://docs.sylabs.io/guides/latest/user-guide/singularity_and_docker.html#docker-like-compat-flag>
     # ² <https://docs.sylabs.io/guides/latest/user-guide/oci_runtime.html#oci-mode>
     "--contain",
+
+    # Don't mount anything at all at the container's value of HOME.  This is
+    # necesary because --compat includes --containall which includes --contain
+    # which makes HOME in the container an empty temporary directory.
+    # --no-home is available since 2.6.0.
     "--no-home",
+
+    # Singularity really wants to default HOME inside the container to the
+    # value from outside the container, thus ignoring the value set by the
+    # upstream Docker image which is only used as a default by the Singularity
+    # image.  Singularity forbids using --env to directly override HOME, so
+    # instead we use --home <src>:<dst> with two empty values.  <src> doesn't
+    # apply because we use --no-home, and setting <dst> to an empty value
+    # allows the container's default to apply (thus avoiding hardcoding it
+    # here).
+    "--home", ":",
+
+    # Allow writes to the image filesystem, discarded at container exit, à la
+    # Docker.  Snakemake, for example, needs to be able to write to HOME
+    # (/nextstrain).
+    "--writable-tmpfs",
+
+    # Don't copy entire host environment.  We forward our own hostenv.
     "--cleanenv",
 
     # Since we use --no-home above, avoid warnings about not being able to cd