Hard user-separation with multi-user install possible?

I am investigating setting up a multi-user workstation using nix, either as standalone or through NixOS.

Users should have separately-encrypted home directories, even the admin should not be able to peek into them.

The catch is that I want to allow all the users to be able to use nix devshells as well.

Evaluating any user-private repo sources, like private flake projects, will obviously fully copy them to the world-readable nix store when building, which makes all previous attempts at separation kind of moot.

I don’t mind having duplicated paths between the users, is there any approach I can take to make this work, or is my goal unreasonable at this time?

Apparently there is some experimental support for store overlays which would probably help with this, but I believe it does not support garbage collection.

Any thoughts would be much appreciated!

Do you need the devshell Nix-side content to be private, or is the issue about the repository containing the flake being copied to the store? You can aways just drop the flakes and use plain Nix in the latter case.

You could perhaps use the chroot store implementation?

The repositories may be private and any nix evaluation using path literals will copy parts of them into the store, it doesn’t matter if flakes are used or not. I can’t expect all users to be 100% vigilant at all times.

Ah, if path literal references make sense in the context, then indeed you don’t want to share the store. Maybe nix-user-chroot would match what you need for completely independent stores?

I don’t think this is possible, mainly because I also want to manage the system configuration through nix as well. This means that some global entries will contain links to the admin store.
Using OpenGL libraries for instance will probably want to access /run/opengl-driver/* etc. which will point to paths that will probably be missing when chrooted because they won’t necessarily be in the nix store. This is not an issue for the more common use-case of using nix-user-chroot in non-nixos setups.