Docker daemon inside Nix sandbox

I have a build for some scala code which runs tests against a docker container.
At the moment, the build is not sandboxed and runs thanks to the host docker daemon.
I would like to sandbox this build, How can I run a docker daemon inside the sandbox ?

It seems the solution is related to the allow-new-privileges option but I could not get it to work.
Moreover, the warning for allow-new-privileges is worrying, should I use NixOS VM tests to run my tests instead ?

To summarize:

• How can I run a docker daemon inside the sandbox ?
• OR Should I do something like NixOs VM tests instead ?

Hi @vquintin,
we use a similar approach to connect to the docker daemon over TCP on MacOS (e.g. socat with DockerForMac), when we build our scala projects with sbt-docker. I’ve tried previously multiple other appraoches, but failed:

• dockerTools to build only the image. Needs something like sbtix which is not supporting sbt 1.x yet. Seems promising again, because sbt 1.x pure builds seem possible: https://gitlab.com/teozkr/Sbtix/merge_requests/37
• porting virtualbox as driver for docker-machine, but failed to port virtualbox’s self-baked build system to run on darwin with nix
• docker-machine-xhyve driver. I’ve ported the derivation in nixpkgs, but it is currently broken, because it needs setuid. This looks promising, if the following PR is merged: WIP: hyperkit go bindings. by dlorenc · Pull Request #189 · machine-drivers/docker-machine-driver-xhyve · GitHub

Afaik, we take the docker daemon impurity for now as granted, because everything else is so much effort. I would like to test sbtix once again, but as long as our project keep using sbt-docker i have another dependency hurdle more to take.