It's Nix in a Box!

bwrap-nix.sh

#!/bin/sh
# bwrap-nix (c) Karim Vergnes <me@thesola.io>
# It's Nix in a Box! (useful for an unprivileged Nix environment)

if [[ $# < 2 ]]
then
    >&2 echo "usage: $0 <nix directory> <command> [args]..."
    exit 1
fi

NIX_DIR=$1

shift 1

exec \
bwrap   --ro-bind   /usr        /usr    \
        --ro-bind   /etc        /etc    \
        --bind      /var        /var    \
        --bind      /sys        /sys    \
        --bind      /run        /run    \
        --bind      /tmp        /tmp    \
        --symlink   /usr/lib    /lib    \
        --symlink   /usr/lib64  /lib64  \
        --symlink   /usr/lib32  /lib32  \
        --symlink   /usr/bin    /bin    \
        --symlink   /usr/sbin   /sbin   \
        --dev       /dev                \
        --proc      /proc               \
        --bind      $NIX_DIR    /nix    \
        "$@"

To "poke holes" into the sandbox and gain access to all devices, you will need to make the following change:

-         --dev       /dev                \
+         --dev-bind  /dev        /dev    \