On 2024-05-22, 19:16 +0200, Tomas Volf <~@wolfsden.cz> wrote: > If your main goal is strong isolation and security, you probably might > want to take a look at firecracker[0]. Downside is non-existent > support in Guix, not even a package.
Hey Tomas, Thanks for getting back to me! You're right, Firecracker seems to perfectly address my objectives - but yeah, the fact that there's no Guix support makes it a bit less appealing. I guess I'm willing to accept some performance overhead in exchange for QEMU's good level of integration. But thanks for suggesting this as an option. Looking at Firecracker brought another project to my attention, MicroVM.nix⁰. If I'm not mistaken, it would look like the NixOS equivalent of what I was looking for. It'd be nice to create a 'least-authority-wrapper' variant that's VM-based. If you like, keep me posted on your findings and feel free to DM me if you want to brainstorm the idea together. Cheers, Fabio. ⁰ https://github.com/astro/microvm.nix
