As a developer I often need to run code I cannot trust, especially dependencies from NodeJS and Python projects, on my dev machine. In order to protect my system from potentially malicious code, I built NixWrap, an adhoc sandboxing tool for NixOS.

NixWrap wraps bubblewrap (oh dear), running it with convenient defaults and offering easy to use command line flags to toggle custom options. An invocation to NixWrap is typically way shorter than the bubblewrap equivalent.

E.g. npm install can be wrapped with wrap -n npm install to gain network access and write access to the current working directory.

• https://news.ycombinator.com/item?id=45116657
• https://discourse.nixos.org/t/nixwrap-easy-adhoc-applicaton-sandboxing/68863