avahi: sandbox with bunpen

hosts/common/programs/avahi.nix

@@ -19,7 +19,7 @@ in
     packageUnwrapped = pkgs.avahi.overrideAttrs (upstream: {
       # avahi wants to do its own sandboxing opaque to systemd & maybe in conflict with my bwrap.
       # --no-drop-root disables that, so that i can e.g. run it as User=avahi, etc.
-      # do this here, because the service isn't so easily patched.
+      # do this here, because the nixos service isn't so easily patched.
       postInstall = (upstream.postInstall or "") + ''
         wrapProgram "$out/sbin/avahi-daemon" \
           --add-flags --no-drop-root
@@ -28,17 +28,15 @@ in
         pkgs.makeBinaryWrapper
       ];
     });
-    sandbox.method = "bwrap";
+    sandbox.method = "bunpen";
     sandbox.whitelistDbus = [ "system" ];
     sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
-    sandbox.extraPaths = [
+    # sandbox.extraPaths = [ ];  #< may be missing some paths; only tried service discovery, not service advertisement.
-      "/"  #< TODO: decrease this, but be weary that the daemon might exit immediately
-    ];
   };
 
   services.avahi = lib.mkIf cfg.enabled {
     enable = true;
-    package = cfg.package;
+    package = cfg.packageUnwrapped;  #< use systemd sandboxing... not my own
     publish.enable = true;
     publish.userServices = true;
     nssmdns4 = true;