diff --git a/rust/nci.nix b/rust/nci.nix
index 2385516..08edb9f 100644
--- a/rust/nci.nix
+++ b/rust/nci.nix
@@ -13,6 +13,31 @@
           nativeBuildInputs = [
             pkgs.pkg-config
           ];
+          # Prepare the environment for Nix to work.
+          # Nix does not provide a suitable environment for running itself in
+          # the sandbox - not by default. We configure it to use a relocated store.
+          preCheck = ''
+            # nix needs a home directory
+            export HOME="$(mktemp -d $TMPDIR/home.XXXXXX)"
+
+            # configure a relocated store
+            store_data=$(mktemp -d $TMPDIR/store-data.XXXXXX)
+            export NIX_REMOTE="$store_data"
+            export NIX_BUILD_HOOK=
+            export NIX_CONF_DIR=$store_data/etc
+            export NIX_LOCALSTATE_DIR=$store_data/nix/var
+            export NIX_LOG_DIR=$store_data/nix/var/log/nix
+            export NIX_STATE_DIR=$store_data/nix/var/nix
+
+            echo "Configuring relocated store at $NIX_REMOTE..."
+
+            # Init ahead of time, because concurrent initialization is flaky
+            ${# Not using nativeBuildInputs because this should (hopefully) be
+              # the only place where we need a nix binary. Let's stay in control.
+              pkgs.buildPackages.nix}/bin/nix-store --init
+
+            echo "Store initialized."
+          '';
         };
         # NOTE: duplicated in flake.nix devShell
         env = {