nixos/nix-daemon: default nix.useSandbox to true.

nixos/doc/manual/release-notes/rl-1809.xml

@@ -370,7 +370,9 @@ inherit (pkgs.nixos {
       <varname>s6-dns</varname>, <varname>s6-networking</varname>,
       <varname>s6-linux-utils</varname> and <varname>s6-portable-utils</varname> respectively.
     </para>
-   </listitem>
+  </listitem>
+  <listitem>
+    <para>The module option <option>nix.useSandbox</option> is now defaulted to <literal>true</literal>.
   </itemizedlist>
  </section>
 </section>

nixos/modules/services/misc/nix-daemon.nix

@@ -127,16 +127,16 @@ in
 
       useSandbox = mkOption {
         type = types.either types.bool (types.enum ["relaxed"]);
-        default = false;
+        default = true;
         description = "
           If set, Nix will perform builds in a sandboxed environment that it
           will set up automatically for each build. This prevents impurities
           in builds by disallowing access to dependencies outside of the Nix
           store by using network and mount namespaces in a chroot environment.
-          This isn't enabled by default for possible performance impacts due to
+          This is enabled by default even though it has a possible performance
-          the initial setup time of a sandbox for each build. It doesn't affect
+          impact due to the initial setup time of a sandbox for each build. It
-          derivation hashes, so changing this option will not trigger a rebuild
+          doesn't affect derivation hashes, so changing this option will not
-          of packages.
+          trigger a rebuild of packages.
         ";
       };