{
  # using cgroups for the nix sandbox is a bit slower, but more secure
  nix.settings.use-cgroups = true;
  nix.settings.experimental-features = [
    "cgroups"
  ];
}