Can I also get the security/isolation benefits that a duly configured docker/podman can provide (container can only act on mounted volume, non-root user, other seccomp settings?).
I feel better doing my "npm install"s in such an environment (of course it's still not a VM – but that's another topic).
When I read about nix, reproducibility is a goal, but security/isolation is a non-goal.
So you can use them in conjunction (or alternation, if for some projects you're okay running without a container) without having to specify your development environments twice.
> I feel better doing my "npm install"s in such an environment (of course it's still not a VM – but that's another topic).
There are basically two kinds of integration you can do for a project with Nix, which I'll call deep and shallow. In shallow integration, you just have Nix provide the toolchain and then you build the project (manually, with a script, with a Makefile, whatever). This is pretty common and pretty easy, and gives you no protection from malicious NPM build scripts.
For deep integration, you can actually have Nix build your whole project. This has some downsides, like that it can't really handle incremental builds. It also imposes restrictions, like no network access by anything but Nix at build time, all packages are built by special build users with no homedirs and no perms to access anything, etc. When you do that kind of build/install, you do get some protection from crypto miners lurking in the NPM registry or PyPI or whatever.
I feel better doing my "npm install"s in such an environment (of course it's still not a VM – but that's another topic).
When I read about nix, reproducibility is a goal, but security/isolation is a non-goal.