if one needs to run a containerised service

Can you elaborate what you mean by this? Because if a service is not packaged in Nixos, you won’t be able to run it in a Nixos container either. Well, you can, but you would have to package/setup it yourself.

NixOS container is using systemd-nspawn/systemd container. Both are using Linux namespaces and cgroups.

A disadvantage of NixOS container is that it only supports rootful containers, i.e. root inside the container has the same privileges as root outside the container. This is also true for docker unless configured otherwise.

OCI containers (Docker, Podman) are often created by upstream themselves, which you might prefer.

I configure containers by using the podman backend (default) and virtualisation.oci-containers.conrainers, which supports rootless podman [1]. Imo rootless is the best and most secure way to run containers on NixOS.

Edit: I prefer NixOS packages if available and only use OCI (Docker) containers if not. The main reason being the simplified declarative configuration through NixOS options, which can also be used inside NixOS container.

[1] virtualisation.oci-containers.containers.<name>.podman.user

The main advantage of NixOS containers, to my limited understanding, is that since they are built by Nix, all dependencies are updated with nixpkgs (no woefully out of date stuff in one of the layers of the container image) and you can pin these if you need to.

I’d like to understand the differences and similarities between the two better too though.