nixos/hardened: build sandbox incompatible with namespaces

Disables the build sandbox by default to avoid incompatibility with
defaulting user namespaces to false. Ideally there would be some kind of
linux kernel feature that allows us to trust nix-daemon builders to
allow both nix sandbox builds and disabling untrusted naemspaces at the
same time.

nixos/modules/profiles/hardened.nix

@@ -20,6 +20,8 @@ with lib;
 
   security.allowUserNamespaces = mkDefault false;
 
+  nix.useSandbox = mkDefault false;
+
   security.protectKernelImage = mkDefault true;
 
   security.allowSimultaneousMultithreading = mkDefault false;