Nucleus – A security-hardened, Nix-native container runtime

Someone looked at container security and said "yeah, Docker is basically a siege weapon with the drawbridge down." That's Nucleus, a security-hardened, Nix-native container runtime built for two specific workloads: ephemeral AI-agent sandboxes and declarative NixOS services. It's a single Rust binary with no daemon, and it explicitly is NOT a Docker replacement. The creator dropped the entire image-and-distribution layer—no Dockerfile, no layers, no registry, no pull/push, no persistent storage—in exchange for going deeper on isolation and reproducibility. The rootfs is either a directory copied into tmpfs for agent mode or a Nix-built closure mounted read-only for production. That's a deliberate trade, not a missing feature.

The security defaults are absolutely ruthless. All capabilities are dropped. The seccomp allowlist is roughly 100 syscalls versus Docker's 300. It supports up to 8 namespaces including time and cgroup. There's Landlock LSM path ACLs per service. Outbound traffic is deny-by-default—unless you explicitly allow specific CIDRs or DNS-resolved domains, nothing leaves the container. This is enforced with namespace-local iptables rules. If your mental model is "run my image instead of docker run," this won't fit. If it's "run untrusted or ephemeral workloads with stronger, auditable isolation on a single host," that's the target. The project lives on GitHub under sig-id and is built for people who care about actually locked-down container isolation.