NixWrap: Easy adhoc applicaton sandboxing

As a developer I often need to run code I cannot trust, especially dependencies from NodeJS and Python projects, on my dev machine. In order to protect my system from potentially malicious code, I built NixWrap, an adhoc sandboxing tool for NixOS.

E.g. npm install can be wrapped with wrap -n npm install to gain network access and write access to the current working directory.

NixWrap wraps bubblewrap (oh dear), running it with convenient defaults and offering easy to use command line flags to toggle custom options. An invocation to NixWrap is typically way shorter than the bubblewrap equivalent.

Maybe this can be helpful to others too.

Oh hey, I remember working on something very similar a year ago, albeit with different intentions. Your project actually reminded me of my own, and I found it super ironic that my project is mentioned in yours. Awesome stuff, I think ease-of-use bwrap sandboxing of any form is a gold mine for NixOS configurations and I’m glad to see more people tapping into it.