opencode with superpowers. It can do everything in a container with docker and nix
TL;DR: A lightweight Docker image (~223MB) that combines Nix package manager with non-root isolation, enabling AI coding assistants like OpenCode and Claude Code to install any software safely without admin privileges or home directory leaks.
The Problem
AI coding assistants are revolutionary but have two critical limitations:
- Security risks: They can accidentally access and leak sensitive data from your
$HOME - Limited autonomy: They can't install software even when they know how, due to admin privilege requirements
The Solution
Docker-Nixuser provides perfect isolation and autonomy:
docker run -v ./data:/data --rm -ti ghcr.io/grigio/docker-nixuser:latest sh -c "cd /data && opencode"
This setup gives you:
- Complete isolation: Only
/datafolder is accessible from host - Unlimited software installation: Full access to nixpkgs (60,000+ packages)
- No persistence outside /data: Clean sandbox environment every run, useful for experiments
- Non-root execution: Security best practices by default
Why Nix?
Unlike traditional package managers, Nix provides:
- Declarative packages: No dependency conflicts
- Reproducible environments: Same packages work everywhere
- User-space installation: No root privileges needed
- Massive repository: Larger than Arch AUR with better quality control
Quick Demo
# Pull and test
docker run --rm ghcr.io/grigio/docker-nixuser:latest sh -c 'whoami && nix profile add nixpkgs#hello && hello'
# Start coding with AI assistant
docker run -v $(pwd)/data:/data --rm -ti ghcr.io/grigio/docker-nixuser:latest sh -c "cd /data && opencode"
Links
- GitHub: https://github.com/grigio/docker-nixuser
- Nix: https://nixos.org/
- Nixpkgs: https://github.com/NixOS/nixpkgs
- OpenCode: https://opencode.ai/
- Claude Code: https://claude.ai/code
This approach solves the fundamental security and autonomy issues holding back AI coding assistants, enabling truly powerful yet safe development environments.