Attempt replacing sandboxroot by rules_nixpkgs (or similar)

[leoluk]

Advantages of current approach:

• Works outside of NixOS without requiring a Nix daemon.
• Fedora, unlike NixOS, ships with toolchains which are actually meant for building for targets other than NixOS.

Disadvantages of current approach:

• Requires buildFHSUserEnv on NixOS, which causes complications (such as Git breaking within it, and causing issues with Bazel daemon persistence). Which is unfortunate, given that NixOS is our primary development target.
• Friction caused by different host and build environments (generally fine, but inconvenient for debugging).
• Becomes hard to reason about: a build on NixOS currently involves at least three wrappers and two user namespaces: Nix shell, FHS env, Bazel's own sandbox...
• Hard dependency on Bazel's sandbox + user namespaces, preventing it from building in restricted environments (such as inside gVisor or distros that turn off user namespaces by default).
• Hard dependency on Fedora.
  • Which is essentially a black box to us and can't easily be built/reproduced from source.

CC @q3k