I am a CTF player and my workflow involves using a lot of tools and interacting with possibly malicious binaries.

For isolation and tools, I'm currently using a docker image which contains (almost) all the tools I need - but there's always friction when I have to install a tool (eg:, qemu-system for specific kernel CTF challenges)

To reduce this friction, I'm planning to use nix (seamless package management) inside a docker container (for simple FS isolation).

This setup has the least friction, but has the downside of repeated package downloads. To resolve this I intend on sharing /nix.

Are there any downsides to my plan? Any limitations in this current model?