sane-sandboxed: split out into an actual package

hosts/common/programs/default.nix

@@ -95,6 +95,7 @@
     ./rofi
     ./s6-rc.nix
     ./sane-input-handler
+    ./sane-sandboxed.nix
     ./sane-screenshot.nix
     ./sane-scripts.nix
     ./schlock.nix

hosts/common/programs/sane-sandboxed.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+let
+  cfg = config.sane.programs;
+in
+{
+  sane.programs.sane-sandboxed = {
+    packageUnwrapped = pkgs.sane-sandboxed.override {
+      bubblewrap = cfg.bubblewrap.package;
+      firejail = cfg.firejail.package;
+      landlock-sandboxer = pkgs.landlock-sandboxer.override {
+        # not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
+        # the sandboxer may nag about one or the other wanting to be updated.
+        linux = config.boot.kernelPackages.kernel;
+      };
+    };
+
+    sandbox.enable = false;
+  };
+}

modules/programs/default.nix

@@ -41,7 +41,7 @@ let
     else
       let
         makeProfile = pkgs.callPackage ./make-sandbox-profile.nix { };
-        makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
+        makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.programs.sane-sandboxed.package; };
 
         # removeStorePaths: [ str ] -> [ str ], but remove store paths, because nix evals aren't allowed to contain any (for purity reasons?)
         removeStorePaths = paths: lib.filter (p: !(lib.hasPrefix "/nix/store" p)) paths;
@@ -610,22 +610,6 @@ in
         set to 0 to get the fastest, but most restrictive build.
       '';
     };
-    sane.sandboxHelper = mkOption {
-      type = types.package;
-      default = pkgs.callPackage ./sane-sandboxed.nix {
-        bubblewrap = cfg.bubblewrap.package;
-        firejail = cfg.firejail.package;
-        landlock-sandboxer = pkgs.landlock-sandboxer.override {
-          # not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
-          # the sandboxer may nag about one or the other wanting to be updated.
-          linux = config.boot.kernelPackages.kernel;
-        };
-      };
-      description = ''
-        `sane-sandbox` package.
-        exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'`
-      '';
-    };
     sane.strictSandboxing = mkOption {
       type = types.enum [ false "warn" "assert" ];
       default = "warn";
@@ -651,7 +635,7 @@ in
       (take (sane-lib.mkTypedMerge take configs))
       {
         environment.pathsToLink = [ "/share/sane-sandboxed" ];
-        environment.systemPackages = [ config.sane.sandboxHelper ];
+        sane.programs.sane-sandboxed.enableFor.system = true;
         # expose the pkgs -- as available to the system -- as a build target.
         system.build.pkgs = pkgs;
       }

pkgs/default.nix

@@ -58,6 +58,7 @@ let
     rtl8723cs-firmware = callPackage ./additional/rtl8723cs-firmware { };
     rtl8723cs-wowlan = callPackage ./additional/rtl8723cs-wowlan { };
     sane-open-desktop = callPackage ./additional/sane-open-desktop { };
+    sane-sandboxed = callPackage ./additional/sane-sandboxed { };
     sane-screenshot = callPackage ./additional/sane-screenshot { };
     sane-scripts = lib.recurseIntoAttrs (callPackage ./additional/sane-scripts { });
     sane-weather = callPackage ./additional/sane-weather { };