I Built a Reasonably Secure OpenClaw Box with Spare PC Parts, NixOS, and microVMs

Introduction Lately everyone in the AI agent scene is spinning up Docker Sandbox on a Mac mini for an isolated environment. I get the appeal. But the cheapest Mac mini config is ¥94,800 (~$630). And with memory prices through the roof, buying or building any new PC hurts right now. So I built one from spare parts. A B360M motherboard and an RTX 3060 Ti that had been collecting dust in my closet. Now here's the thing. Did you know the Docker docs say this? "MicroVM-based sandboxes require macOS or Windows (experimental). Linux users can use legacy container-based sandboxes with Docker Desktop 4.57." In other words, microVM sandboxes aren't available on Linux. What you're left with is the legacy approach — namespaces and cgroups sharing the host kernel. One kernel vulnerability and you're all the way through to the host. And here's another thing: what happens when that isolated environment breaks? You've been hand-crafting Docker images, placing secret keys with shell scripts, and callin