I really want to adopt Nix and NixOS for my systems but the cost of wrapping packages is just a little too high for me right now (or perhaps I'm out of date and a new cool tool that does it automatically is out). IMHO, a dependency graph-based build system that builds a hermetically sealed transitive closure of an app's dependencies that can be plopped into a rootfs via Nix [0] is far superior security wise to the traditional practice of writing docker files.
Hm, this seems like a lower level set of tools that can be composed into something a bit more user-friendly (one of my personal complaints with Nix as well, despite being a big fan of the concept and overall execution. Nothing too steep that can't be learned eventually, but the curve exists). I'm wondering if there would be an audience for a higher level abstraction on top of Nix, or if one already exists.
[0] https://yann.hodique.info/blog/using-nix-to-build-docker-ima...