nix cgroups

hosts/nixos/bolle/configuration.nix

@@ -12,6 +12,7 @@
   imports = [
     ./hardware-configuration.nix
     ../../../profiles/sshd.nix
+    ../../../profiles/nix-cgroups.nix
 
     ../../../users/pbsds
     ../../../users/daniel

hosts/nixos/eple/configuration.nix

@@ -14,6 +14,7 @@
   imports = [
     ./hardware-configuration.nix
     ../../../profiles/sshd.nix
+    ../../../profiles/nix-cgroups.nix
 
     ../../../users/pbsds
     ../../../users/bartvbl

hosts/nixos/garp/configuration.nix

@@ -23,6 +23,7 @@
   imports = [
     ./hardware-configuration.nix
     ../../../profiles/sshd.nix
+    ../../../profiles/nix-cgroups.nix
     #../../../profiles/no-suspend.nix
     #../../../profiles/oci/podman.nix
     ../../../profiles/oci/docker.nix

profiles/nix-cgroups.nix

@@ -0,0 +1,7 @@
+{
+  # using cgroups for the nix sandbox is a bit slower, but more secure
+  nix.settings.use-cgroups = true;
+  nix.settings.experimental-features = [
+    "cgroups"
+  ];
+}