sane-sandboxed: load profiles via $NIX_PROFILES env var

modules/programs/sane-sandboxed

@@ -1,6 +1,6 @@
 #!@runtimeShell@
 
-profileDirs=(@profileDirs@)
+profileDirs=()
 isDebug=
 isDisable=
 
@@ -56,6 +56,13 @@ tryLoadProfileByName() {
   fi
 }
 
+initDefaultProfileDirs() {
+  # NIX_PROFILES is a space-separated array of /run/current-system/sw, ...
+  for d in $NIX_PROFILES; do
+    profileDirs+=("$d/share/sane-sandboxed/profiles")
+  done
+}
+
 # convert e.g. `file:///Local%20Users/foo.mp3` to `file:///Local Users/foo.mp3`
 urldecode() {
   # source: <https://stackoverflow.com/q/6250698>
@@ -521,6 +528,7 @@ ingestForBackend() {
 ## TOPLEVEL EXECUTION
 #  no code evaluated before this point should be dependent on user args / environment.
 
+initDefaultProfileDirs
 parseArgsAndEnvironment "$@"
 
 # variables meant to be inherited

modules/programs/sane-sandboxed.nix

@@ -14,9 +14,6 @@ let
     inherit bubblewrap firejail libcap runtimeShell;
     landlockSandboxer = landlock-sandboxer;
     firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail";
-    # /run might be unavailable inside a container, so to support nested containers
-    # fallback to a profile dir adjacent to the sane-sandboxed binary
-    profileDirs = "/run/current-system/sw/${profileDir} @out@/${profileDir}";
   };
   self = stdenv.mkDerivation {
     pname = "sane-sandboxed";