| ▲ | stephen_cagle 4 hours ago | ||||||||||||||||
Have you heard of any good projects for running isolated containers in NixOS that are cheaply derived from your own NixOS config? Because that is what I want. I want a computer where I can basically install every non stock app in its own little world, where it thinks "huh, that is interesting, I seem to be the only app installed on this system". Basically, I want to be able to run completely unverified code off of the internet on my local machine, and know that the worst thing it can possibly due is trash its own container. I feel like NixOS, is one path toward getting to that future. | |||||||||||||||||
| ▲ | cpuguy83 2 hours ago | parent | next [-] | ||||||||||||||||
You mean like https://wiki.nixos.org/wiki/NixOS_Containers ? | |||||||||||||||||
| |||||||||||||||||
| ▲ | woleium 3 hours ago | parent | prev | next [-] | ||||||||||||||||
sounds like you want qubes os https://www.qubes-os.org/ | |||||||||||||||||
| ▲ | bpavuk 3 hours ago | parent | prev | next [-] | ||||||||||||||||
depends whether you consider rootless Docker "cheap". I tried running ZeroClaw in a Nix-derived Docker (spoiler - it was a bad idea to use ZeroClaw at all since the harness is very buggy) and there is still a potential for container escape zero-days, but that's the best I've found. also, Nix's own containerization is not as hermetic as Docker; they warn about that in docs | |||||||||||||||||
| ▲ | gallexme 3 hours ago | parent | prev | next [-] | ||||||||||||||||
If containers are safe enough for ur use case then just use nixos containers they just a few more lines to setup in a regular nixos config If it isn't enough there's microvm.nix which is pretty much the same in difficulty /complexity, but runs inside a very slim and lightweight VM with stronger isolation than a container | |||||||||||||||||
| ▲ | ogUsername 2 hours ago | parent | prev [-] | ||||||||||||||||
That's hard given most apps have dependencies and often share them. It will always look like curl is available or bash or something What's wrong with another user account for such isolation? They can be isolated to namespaces and cgroups. Docker and Nix are just wrappers around a lot of OS functionality with their own semantics attempting to describe how their abstraction works. Every OS already ships with tools for control users access to memory, disk, cpu and network. Nix is just another chef, ansible, cfengine, apt, pacman Building ones own distro isn't hard anymore. If you want ultimate control have a bot read and build the LFS documentation to your needs. Nothing more powerful than the raw git log and source. Nix and everything else are layers of indirection we don't need | |||||||||||||||||
| |||||||||||||||||