Using platformio in a nixos generated container

Hello guys,
I try to use platformio in my ci-server. I use concourse as a ci and it uses docker/podman containers to run compile steps.

When trying to to generate a docker container form nix I encounter some problems. Consider the following file:

{ pkgs ? import <nixpkgs> {} }:

with pkgs;
dockerTools.buildImage {
  name = "platformio";
  tag = "lastest";

  copyToRoot = buildEnv {
    name = "image-root";
    paths = with pkgs; [ platformio-core coreutils gcc bash ];
    pathsToLink = [ "/bin" ];

  runAsRoot = ''

    groupadd -r pio
    useradd -r -g pio -d /data -M pio
    mkdir /data
    chown pio:pio /data

  config = {
    Cmd = [ "${}" ];
    WorkingDir = "/data";
    Volumes = {
      "/data" = {};

When using this expression to create a docker container and then running pio run inside this container (of course inside a platformio project) platformio downloads the toolchain (in my case teensy) and later fails with:

sh: line 1: /root/.platformio/packages/toolchain-gccarmnoneeabi-teensy/bin/arm-none-eabi-g++: cannot execute: required file not found

I concluded that maybe platformio needs some hard-coded path which nix of course does not like. So I changed to the platformio package (instead of platformio-core) in the expression before. However then there is another error:

bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.

Does anybody know how to run platformio successfully inside an (unprivileged) container?