Cloning builder process: Operation not permitted when using Nix (under Linux) update channel
Following the suggestion in this comment resolves the problem:
sysctl kernel.unprivileged_userns_clone=1
Nix uses quite a lot of flags for the clone, mainly to detach some linux namespaces. I expect your system doesn't support some of these for unprivileged processes. IIRC some distros chose that because of security concerns.