Looking for a simple, slightly paranoid, workflow to develop applications in a sandbox like environment

I typically clone a project in a jetbrains IDE and hack away.

Sometimes, I’ll create a VM, clone and connect with jetbrains gateway.

Is there a simpler solution that uses the nix sandbox or similar?

My primary constraints are:

  • make sure parts of my host filesystem are not available to the build
  • make commands unavailable like sudo
  • network access is ok
  • have workspace where I could develop a few projects in the same sandbox
  • works on darwin and nixos

How does the community approach host isolated dev environments?

I imagine there’s something along the lines of:

nix develop
idea ./

nix develop -i cleans up env, but it’s not sandboxed.
For sandboxing
A) you can make your whole project a nix derivation (works everywhere)
B) Use nix-cage or nix-bwrap (linux only) GitHub - corpix/nix-cage: Sandboxed environments with bwrap and nix-shell nix-bubblewrap: Nix - bubblewrap integration

3 Likes

I’m using dedicated LXD / LXC containers for that matter (working on a NixOS host).

e.g:

  • container 1: for work ABC with projects X, Y, Z, etc
  • container 2: for work DEF with projects 1, 2, 3, etc
  • etc…

With some tweaks for networking and storage, you might get the isolation needed?

1 Like

Thank you @Cloudef and @JimJ92120, I have plenty to try.

Bubblewrap seems to provide a similar result to LXC for my use case, by also using kernel name-spacing features for the filesystem and the network.

@Cloudef solution looks quite neat and lightweight (haven’t tried yet)

Few use cases where you may consider LXD / LXC (or similar):

doesn’t seem suitable for unprivileged users:

Bwrap uses user namespaces. The readme is saying systemd-nspawn, docker, etc… are not suitable for unprivileged users. However, there might be security bugs in user namespaces and there have been in the past.

“infrastructure as code” (declarative) for reproducibility e.g networking, storage, etc

Isn’t nix/nixpkgs basically this already? E.g. I build and deploy everything to AWS through terranix GitHub - terranix/terranix: terranix is a terraform.json generator with a nix-like feeling

I’d see containers still useful if you want to package complex systems that need multiple parts running separately from the host OS, like services, or need isolated VPN / Network. You can create and orchestrate containers using nix as well.