Any specific reason to prefer microVMs over the more NixOS native systemd-nspawn containers?
stapelberg
Purely that I feel better with the stronger security boundary of a VM compared to a container.
But I think there are many possible variations and slightly different setups that make sense for different needs / different people. As I wrote, I just wanted to show one possible way :)
cyplo
ooh interesting, I forgot about microvms somehow :D inspired by this I did a quick firejail setup, not as a nice as per-project microvm thing you've done but probably better than nothing :)
basically programs.firejail.wrappedBinaries with custom blocklist
ac
Stateless systems like nixos are excellent for coding agents. You can just let them setup the shell.nix they need to get the job done.
juuso
Any specific reason to prefer microVMs over the more NixOS native systemd-nspawn containers?
stapelberg
Purely that I feel better with the stronger security boundary of a VM compared to a container.
But I think there are many possible variations and slightly different setups that make sense for different needs / different people. As I wrote, I just wanted to show one possible way :)
cyplo
ooh interesting, I forgot about microvms somehow :D inspired by this I did a quick firejail setup, not as a nice as per-project microvm thing you've done but probably better than nothing :)
basically programs.firejail.wrappedBinaries with custom blocklist
ac
Stateless systems like nixos are excellent for coding agents. You can just let them setup the shell.nix they need to get the job done.
Any specific reason to prefer microVMs over the more NixOS native systemd-nspawn containers?
Purely that I feel better with the stronger security boundary of a VM compared to a container.
But I think there are many possible variations and slightly different setups that make sense for different needs / different people. As I wrote, I just wanted to show one possible way :)
ooh interesting, I forgot about microvms somehow :D inspired by this I did a quick firejail setup, not as a nice as per-project microvm thing you've done but probably better than nothing :)
basically programs.firejail.wrappedBinaries with custom blocklist
Stateless systems like nixos are excellent for coding agents. You can just let them setup the shell.nix they need to get the job done.
Any specific reason to prefer microVMs over the more NixOS native systemd-nspawn containers?
Purely that I feel better with the stronger security boundary of a VM compared to a container.
But I think there are many possible variations and slightly different setups that make sense for different needs / different people. As I wrote, I just wanted to show one possible way :)
ooh interesting, I forgot about microvms somehow :D inspired by this I did a quick firejail setup, not as a nice as per-project microvm thing you've done but probably better than nothing :)
basically programs.firejail.wrappedBinaries with custom blocklist
Stateless systems like nixos are excellent for coding agents. You can just let them setup the shell.nix they need to get the job done.