Description
Context
I am currently writing a nixos module that allows to easily generate VMs, and need a way to pass to the guest its store and only it (not giving it full access to the store so that he cannot see secrets that could be in there).
I could have gone with mount --bind, as is done for derivation building, but making this a permanent choice with ~1k bind-mounts per VM seems really unsustainable.
So I chose to generate the VM's store in a derivation, and to give this derivation to the guest as though it was its store (this being the less bad of the ways I could think of doing it).
Issue
In order to do this I'd have liked to just hardlink the required derivations, instead of copying everything and waiting for nix-store --optimize to come and remove the copies and replace them with hardlinks that I could have done from the beginning.
This would reduce disk dereliction and a lot less time would be spent copying things that will anyways be hardlinked later.
However, derivation building seems to happen in an environment where its buildInputs are mount --bind, which means hardlinks are impossible as the vfs driver doesn't recognize they are on the same underlying filesystem.
Proposed solution
Add a derivation option that requests direct access to /nix/store, not through a mount --bind "sandbox" (I tried both with nix.useSandbox = true; and nix.useSandbox = false;, and it seems to happen anyway, so I guess that's not what's called sandbox in nix vernacular).
What do you think about this? Is it too narrow a use case to deserve such a change?