programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that

hosts/common/programs/animatch.nix

@@ -31,7 +31,6 @@
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
 
     persist.byStore.plaintext = [

hosts/common/programs/assorted.nix

@@ -203,13 +203,11 @@ in
     # INDIVIDUAL PACKAGE DEFINITIONS
 
     alsaUtils.sandbox.method = "landlock";
-    alsaUtils.sandbox.wrapperType = "wrappedDerivation";
     alsaUtils.sandbox.whitelistAudio = true;  #< not strictly necessary?
 
     backblaze-b2 = {};
 
     blanket.sandbox.method = "bwrap";
-    blanket.sandbox.wrapperType = "wrappedDerivation";
     blanket.sandbox.whitelistAudio = true;
     # blanket.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
     blanket.sandbox.whitelistWayland = true;
@@ -225,11 +223,9 @@ in
     ];
 
     bridge-utils.sandbox.method = "bwrap";  #< bwrap, landlock: both work
-    bridge-utils.sandbox.wrapperType = "wrappedDerivation";
     bridge-utils.sandbox.net = "all";
 
     brightnessctl.sandbox.method = "landlock";  # also bwrap, but landlock is more responsive
-    brightnessctl.sandbox.wrapperType = "wrappedDerivation";
     brightnessctl.sandbox.extraPaths = [
       "/sys/class/backlight"
       "/sys/class/leds"
@@ -238,7 +234,6 @@ in
     brightnessctl.sandbox.whitelistDbus = [ "system" ];
 
     btrfs-progs.sandbox.method = "bwrap";  #< bwrap, landlock: both work
-    btrfs-progs.sandbox.wrapperType = "wrappedDerivation";
     btrfs-progs.sandbox.autodetectCliPaths = "existing";  # e.g. `btrfs filesystem df /my/fs`
 
     "cacert.unbundled".sandbox.enable = false;
@@ -249,7 +244,6 @@ in
 
     # cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
     cryptsetup.sandbox.method = "landlock";
-    cryptsetup.sandbox.wrapperType = "wrappedDerivation";
     cryptsetup.sandbox.extraPaths = [
       "/dev/mapper"
       "/dev/random"
@@ -263,12 +257,10 @@ in
     cryptsetup.sandbox.autodetectCliPaths = "existing";
 
     ddrescue.sandbox.method = "landlock";  # TODO:sandbox: untested
-    ddrescue.sandbox.wrapperType = "wrappedDerivation";
     ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
 
     # auth token, preferences
     delfin.sandbox.method = "bwrap";
-    delfin.sandbox.wrapperType = "wrappedDerivation";
     delfin.sandbox.whitelistAudio = true;
     delfin.sandbox.whitelistDbus = [ "user" ];  # else `mpris` plugin crashes the player
     delfin.sandbox.whitelistDri = true;
@@ -277,7 +269,6 @@ in
     delfin.persist.byStore.private = [ ".config/delfin" ];
 
     dig.sandbox.method = "bwrap";
-    dig.sandbox.wrapperType = "wrappedDerivation";
     dig.sandbox.net = "all";
 
     # creds, but also 200 MB of node modules, etc
@@ -293,18 +284,15 @@ in
     dtc.sandbox.autodetectCliPaths = true;  # TODO:sandbox: untested
 
     dtrx.sandbox.method = "bwrap";
-    dtrx.sandbox.wrapperType = "wrappedDerivation";
     dtrx.sandbox.whitelistPwd = true;
     dtrx.sandbox.autodetectCliPaths = "existing";  #< for the archive
 
     duplicity = {};
 
     e2fsprogs.sandbox.method = "landlock";
-    e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
     e2fsprogs.sandbox.autodetectCliPaths = "existing";
 
     efibootmgr.sandbox.method = "landlock";
-    efibootmgr.sandbox.wrapperType = "wrappedDerivation";
     efibootmgr.sandbox.extraPaths = [
       "/sys/firmware/efi"
     ];
@@ -312,14 +300,12 @@ in
     eg25-control = {};
 
     electrum.sandbox.method = "bwrap";  # TODO:sandbox: untested
-    electrum.sandbox.wrapperType = "wrappedDerivation";
     electrum.sandbox.net = "all";  # TODO: probably want to make this run behind a VPN, always
     electrum.sandbox.whitelistWayland = true;
     electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ];  #< TODO: use XDG dirs!
 
     endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
     endless-sky.sandbox.method = "bwrap";
-    endless-sky.sandbox.wrapperType = "wrappedDerivation";
     endless-sky.sandbox.whitelistAudio = true;
     endless-sky.sandbox.whitelistDri = true;
     endless-sky.sandbox.whitelistWayland = true;
@@ -330,14 +316,12 @@ in
     emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
 
     ethtool.sandbox.method = "landlock";
-    ethtool.sandbox.wrapperType = "wrappedDerivation";
     ethtool.sandbox.capabilities = [ "net_admin" ];
 
     # eza `ls` replacement
     # landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
     # eza.sandbox.method = "landlock";
     eza.sandbox.method = "bwrap";
-    eza.sandbox.wrapperType = "wrappedDerivation";  # slow to build
     eza.sandbox.autodetectCliPaths = true;
     eza.sandbox.whitelistPwd = true;
     eza.sandbox.extraHomePaths = [
@@ -347,11 +331,9 @@ in
     ];
 
     fatresize.sandbox.method = "landlock";
-    fatresize.sandbox.wrapperType = "wrappedDerivation";
     fatresize.sandbox.autodetectCliPaths = "parent";  # /dev/sda1 -> needs /dev/sda
 
     fd.sandbox.method = "landlock";
-    fd.sandbox.wrapperType = "wrappedDerivation";  # slow to build
     fd.sandbox.autodetectCliPaths = true;
     fd.sandbox.whitelistPwd = true;
     fd.sandbox.extraHomePaths = [
@@ -361,15 +343,12 @@ in
     ];
 
     ffmpeg.sandbox.method = "bwrap";
-    ffmpeg.sandbox.wrapperType = "wrappedDerivation";  # slow to build
     ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent";  # it outputs uncreated files -> parent dir needs mounting
 
     file.sandbox.method = "bwrap";
-    file.sandbox.wrapperType = "wrappedDerivation";
     file.sandbox.autodetectCliPaths = true;
 
     findutils.sandbox.method = "bwrap";
-    findutils.sandbox.wrapperType = "wrappedDerivation";
     findutils.sandbox.autodetectCliPaths = true;
     findutils.sandbox.whitelistPwd = true;
     findutils.sandbox.extraHomePaths = [
@@ -381,14 +360,12 @@ in
     fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
 
     font-manager.sandbox.method = "bwrap";
-    font-manager.sandbox.wrapperType = "wrappedDerivation";
     font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
       # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
       withWebkit = false;
     });
 
     forkstat.sandbox.method = "landlock";  #< doesn't seem to support bwrap
-    forkstat.sandbox.wrapperType = "wrappedDerivation";
     forkstat.sandbox.extraConfig = [
       "--sane-sandbox-keep-namespace" "pid"
     ];
@@ -401,7 +378,6 @@ in
     #   should probably make it not be an app-launcher
     fuzzel.sandbox.enable = false;
     fuzzel.sandbox.method = "bwrap";  #< landlock nearly works, but unable to open ~/.cache
-    fuzzel.sandbox.wrapperType = "wrappedDerivation";
     fuzzel.sandbox.whitelistWayland = true;
     fuzzel.persist.byStore.private = [
       # this is a file of recent selections
@@ -414,7 +390,6 @@ in
 
     gdb.sandbox.enable = false;  # gdb doesn't sandbox well. i don't know how you could.
     # gdb.sandbox.method = "landlock";  # permission denied when trying to attach, even as root
-    gdb.sandbox.wrapperType = "wrappedDerivation";
     gdb.sandbox.autodetectCliPaths = true;
 
     geoclue2-with-demo-agent = {};
@@ -424,7 +399,6 @@ in
     gh.persist.byStore.private = [ ".config/gh" ];
 
     gimp.sandbox.method = "bwrap";
-    gimp.sandbox.wrapperType = "wrappedDerivation";
     gimp.sandbox.whitelistWayland = true;
     gimp.sandbox.extraHomePaths = [
       "Pictures/albums"
@@ -443,39 +417,32 @@ in
     ];
 
     "gnome.gnome-calculator".sandbox.method = "bwrap";
-    "gnome.gnome-calculator".sandbox.wrapperType = "wrappedDerivation";
     "gnome.gnome-calculator".sandbox.whitelistWayland = true;
 
     # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
     "gnome.gnome-calendar".sandbox.method = "bwrap";
-    "gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation";
     "gnome.gnome-calendar".sandbox.whitelistWayland = true;
 
     "gnome.gnome-clocks".sandbox.method = "bwrap";
-    "gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation";
     "gnome.gnome-clocks".sandbox.whitelistWayland = true;
     "gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
 
     # gnome-disks
     "gnome.gnome-disk-utility".sandbox.method = "bwrap";
-    "gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation";
     "gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
     "gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
 
     # seahorse: dump gnome-keyring secrets.
     # N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
     "gnome.seahorse".sandbox.method = "bwrap";
-    "gnome.seahorse".sandbox.wrapperType = "wrappedDerivation";
     "gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
     "gnome.seahorse".sandbox.whitelistWayland = true;
 
     gnome-2048.sandbox.method = "bwrap";
-    gnome-2048.sandbox.wrapperType = "wrappedDerivation";
     gnome-2048.sandbox.whitelistWayland = true;
     gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
 
     gnome-frog.sandbox.method = "bwrap";
-    gnome-frog.sandbox.wrapperType = "wrappedDerivation";
     gnome-frog.sandbox.whitelistWayland = true;
     gnome-frog.sandbox.whitelistDbus = [ "user" ];
     gnome-frog.sandbox.extraPaths = [
@@ -502,11 +469,9 @@ in
     # 2. no two shaded tiles can be direct N/S/E/W neighbors
     # - win once (1) and (2) are satisfied
     "gnome.hitori".sandbox.method = "bwrap";
-    "gnome.hitori".sandbox.wrapperType = "wrappedDerivation";
     "gnome.hitori".sandbox.whitelistWayland = true;
 
     gnugrep.sandbox.method = "bwrap";
-    gnugrep.sandbox.wrapperType = "wrappedDerivation";
     gnugrep.sandbox.autodetectCliPaths = true;
     gnugrep.sandbox.whitelistPwd = true;
     gnugrep.sandbox.extraHomePaths = [
@@ -519,7 +484,6 @@ in
     gpsd = {};
 
     gptfdisk.sandbox.method = "landlock";
-    gptfdisk.sandbox.wrapperType = "wrappedDerivation";
     gptfdisk.sandbox.extraPaths = [
       "/dev"
     ];
@@ -528,7 +492,6 @@ in
     grim = {};
 
     hase.sandbox.method = "bwrap";
-    hase.sandbox.wrapperType = "wrappedDerivation";
     hase.sandbox.net = "clearnet";
     hase.sandbox.whitelistAudio = true;
     hase.sandbox.whitelistDri = true;
@@ -536,15 +499,12 @@ in
 
     # hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
     hdparm.sandbox.method = "bwrap";
-    hdparm.sandbox.wrapperType = "wrappedDerivation";
     hdparm.sandbox.autodetectCliPaths = true;
 
     host.sandbox.method = "landlock";
-    host.sandbox.wrapperType = "wrappedDerivation";
     host.sandbox.net = "all";  #< technically, only needs to contact localhost's DNS server
 
     htop.sandbox.method = "landlock";
-    htop.sandbox.wrapperType = "wrappedDerivation";
     htop.sandbox.extraPaths = [
       "/proc"
       "/sys/devices"
@@ -555,16 +515,13 @@ in
     ];
 
     iftop.sandbox.method = "landlock";
-    iftop.sandbox.wrapperType = "wrappedDerivation";
     iftop.sandbox.capabilities = [ "net_raw" ];
 
     # inetutils: ping, ifconfig, hostname, traceroute, whois, ....
     # N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
     inetutils.sandbox.method = "landlock";  # want to keep the same netns, at least.
-    inetutils.sandbox.wrapperType = "wrappedDerivation";
 
     inkscape.sandbox.method = "bwrap";
-    inkscape.sandbox.wrapperType = "wrappedDerivation";
     inkscape.sandbox.whitelistWayland = true;
     inkscape.sandbox.extraHomePaths = [
       "Pictures/albums"
@@ -580,7 +537,6 @@ in
     inkscape.sandbox.autodetectCliPaths = true;
 
     iotop.sandbox.method = "landlock";
-    iotop.sandbox.wrapperType = "wrappedDerivation";
     iotop.sandbox.extraPaths = [
       "/proc"
     ];
@@ -588,38 +544,31 @@ in
 
     # provides `ip`, `routel`, others
     iproute2.sandbox.method = "landlock";
-    iproute2.sandbox.wrapperType = "wrappedDerivation";
     iproute2.sandbox.net = "all";
     iproute2.sandbox.capabilities = [ "net_admin" ];
 
     iptables.sandbox.method = "landlock";
-    iptables.sandbox.wrapperType = "wrappedDerivation";
     iptables.sandbox.net = "all";
     iptables.sandbox.capabilities = [ "net_admin" ];
 
     # iputils provides `ping` (and arping, clockdiff, tracepath)
     iputils.sandbox.method = "landlock";
-    iputils.sandbox.wrapperType = "wrappedDerivation";
     iputils.sandbox.net = "all";
     iputils.sandbox.capabilities = [ "net_raw" ];
 
     iw.sandbox.method = "landlock";
-    iw.sandbox.wrapperType = "wrappedDerivation";
     iw.sandbox.net = "all";
     iw.sandbox.capabilities = [ "net_admin" ];
 
     jq.sandbox.method = "bwrap";
-    jq.sandbox.wrapperType = "wrappedDerivation";
     jq.sandbox.autodetectCliPaths = "existingFile";
 
     killall.sandbox.method = "landlock";
-    killall.sandbox.wrapperType = "wrappedDerivation";
     killall.sandbox.extraPaths = [
       "/proc"
     ];
 
     krita.sandbox.method = "bwrap";
-    krita.sandbox.wrapperType = "wrappedDerivation";
     krita.sandbox.whitelistWayland = true;
     krita.sandbox.autodetectCliPaths = "existing";
     krita.sandbox.extraHomePaths = [
@@ -637,11 +586,9 @@ in
     libcap_ng.sandbox.enable = false;  # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
 
     libnotify.sandbox.method = "bwrap";
-    libnotify.sandbox.wrapperType = "wrappedDerivation";
     libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
 
     losslesscut-bin.sandbox.method = "bwrap";
-    losslesscut-bin.sandbox.wrapperType = "wrappedDerivation";
     losslesscut-bin.sandbox.extraHomePaths = [
       "Music"
       "Pictures/from"  # videos from e.g. mobile phone
@@ -656,13 +603,11 @@ in
     losslesscut-bin.sandbox.whitelistX = true;
 
     lsof.sandbox.method = "capshonly";  # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
-    lsof.sandbox.wrapperType = "wrappedDerivation";
 
     lua = {};
 
     "mate.engrampa".packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa;
     "mate.engrampa".sandbox.method = "bwrap";  # TODO:sandbox: untested
-    "mate.engrampa".sandbox.wrapperType = "wrappedDerivation";
     "mate.engrampa".sandbox.whitelistWayland = true;
     "mate.engrampa".sandbox.autodetectCliPaths = "existingOrParent";
     "mate.engrampa".sandbox.extraHomePaths = [
@@ -675,7 +620,6 @@ in
     ];
 
     mercurial.sandbox.method = "bwrap";  # TODO:sandbox: untested
-    mercurial.sandbox.wrapperType = "wrappedDerivation";
     mercurial.sandbox.net = "clearnet";
     mercurial.sandbox.whitelistPwd = true;
 
@@ -683,7 +627,6 @@ in
     # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
     monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
     monero-gui.sandbox.method = "bwrap";
-    monero-gui.sandbox.wrapperType = "wrappedDerivation";
     monero-gui.sandbox.net = "all";
     monero-gui.sandbox.extraHomePaths = [
       "records/finance/cryptocurrencies/monero"
@@ -692,20 +635,16 @@ in
     mumble.persist.byStore.private = [ ".local/share/Mumble" ];
 
     nano.sandbox.method = "bwrap";
-    nano.sandbox.wrapperType = "wrappedDerivation";
     nano.sandbox.autodetectCliPaths = "existingFileOrParent";
 
     netcat.sandbox.method = "landlock";
-    netcat.sandbox.wrapperType = "wrappedDerivation";
     netcat.sandbox.net = "all";
 
     nethogs.sandbox.method = "capshonly";  # *partially* works under landlock w/ full access to /
-    nethogs.sandbox.wrapperType = "wrappedDerivation";
     nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
 
     # provides `arp`, `hostname`, `route`, `ifconfig`
     nettools.sandbox.method = "landlock";
-    nettools.sandbox.wrapperType = "wrappedDerivation";
     nettools.sandbox.net = "all";
     nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
     nettools.sandbox.extraPaths = [
@@ -713,7 +652,6 @@ in
     ];
 
     networkmanagerapplet.sandbox.method = "bwrap";
-    networkmanagerapplet.sandbox.wrapperType = "wrappedDerivation";
     networkmanagerapplet.sandbox.whitelistWayland = true;
     networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
 
@@ -726,11 +664,9 @@ in
     ];
 
     nmap.sandbox.method = "bwrap";
-    nmap.sandbox.wrapperType = "wrappedDerivation";
     nmap.sandbox.net = "all";  # clearnet and lan
 
     nmon.sandbox.method = "landlock";
-    nmon.sandbox.wrapperType = "wrappedDerivation";
     nmon.sandbox.extraPaths = [
       "/proc"
     ];
@@ -739,7 +675,6 @@ in
 
     # `nvme list` only shows results when run as root.
     nvme-cli.sandbox.method = "landlock";
-    nvme-cli.sandbox.wrapperType = "wrappedDerivation";
     nvme-cli.sandbox.extraPaths = [
       "/sys/devices"
       "/sys/class/nvme"
@@ -751,13 +686,11 @@ in
 
     # contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin
     oath-toolkit.sandbox.method = "bwrap";
-    oath-toolkit.sandbox.wrapperType = "wrappedDerivation";
 
     # settings (electron app)
     obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
 
     parted.sandbox.method = "landlock";
-    parted.sandbox.wrapperType = "wrappedDerivation";
     parted.sandbox.extraPaths = [
       "/dev"
     ];
@@ -766,12 +699,10 @@ in
     patchelf = {};
 
     pavucontrol.sandbox.method = "bwrap";
-    pavucontrol.sandbox.wrapperType = "wrappedDerivation";
     pavucontrol.sandbox.whitelistAudio = true;
     pavucontrol.sandbox.whitelistWayland = true;
 
     pciutils.sandbox.method = "landlock";
-    pciutils.sandbox.wrapperType = "wrappedDerivation";
     pciutils.sandbox.extraPaths = [
       "/sys/bus/pci"
       "/sys/devices"
@@ -780,7 +711,6 @@ in
     "perlPackages.FileMimeInfo".sandbox.enable = false;  #< TODO: sandbox `mimetype` but not `mimeopen`.
 
     powertop.sandbox.method = "landlock";
-    powertop.sandbox.wrapperType = "wrappedDerivation";
     powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
     powertop.sandbox.extraPaths = [
       "/proc"
@@ -790,17 +720,14 @@ in
     ];
 
     pstree.sandbox.method = "landlock";
-    pstree.sandbox.wrapperType = "wrappedDerivation";
     pstree.sandbox.extraPaths = [
       "/proc"
     ];
 
     pulsemixer.sandbox.method = "landlock";
-    pulsemixer.sandbox.wrapperType = "wrappedDerivation";
     pulsemixer.sandbox.whitelistAudio = true;
 
     pwvucontrol.sandbox.method = "bwrap";
-    pwvucontrol.sandbox.wrapperType = "wrappedDerivation";
     pwvucontrol.sandbox.whitelistAudio = true;
     pwvucontrol.sandbox.whitelistWayland = true;
 
@@ -808,7 +735,6 @@ in
       requests
     ]);
     python3-repl.sandbox.method = "bwrap";
-    python3-repl.sandbox.wrapperType = "wrappedDerivation";
     python3-repl.sandbox.net = "clearnet";
     python3-repl.sandbox.extraHomePaths = [
       "/"
@@ -819,7 +745,6 @@ in
     qemu.slowToBuild = true;
 
     rsync.sandbox.method = "bwrap";
-    rsync.sandbox.wrapperType = "wrappedDerivation";
     rsync.sandbox.net = "clearnet";
     rsync.sandbox.autodetectCliPaths = "existingOrParent";
 
@@ -828,13 +753,11 @@ in
     screen.sandbox.enable = false;  #< tty; needs to run anything
 
     sequoia.sandbox.method = "bwrap";  # TODO:sandbox: untested
-    sequoia.sandbox.wrapperType = "wrappedDerivation";  # slow to build
     sequoia.sandbox.whitelistPwd = true;
     sequoia.sandbox.autodetectCliPaths = true;
 
     shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
     shattered-pixel-dungeon.sandbox.method = "bwrap";
-    shattered-pixel-dungeon.sandbox.wrapperType = "wrappedDerivation";
     shattered-pixel-dungeon.sandbox.whitelistAudio = true;
     shattered-pixel-dungeon.sandbox.whitelistDri = true;
     shattered-pixel-dungeon.sandbox.whitelistWayland = true;
@@ -851,7 +774,6 @@ in
     smartmontools.sandbox.capabilities = [ "sys_rawio" ];
 
     sops.sandbox.method = "bwrap";  # TODO:sandbox: untested
-    sops.sandbox.wrapperType = "wrappedDerivation";
     sops.sandbox.extraHomePaths = [
       ".config/sops"
       "dev/nixos"
@@ -861,7 +783,6 @@ in
     ];
 
     soundconverter.sandbox.method = "bwrap";
-    soundconverter.sandbox.wrapperType = "wrappedDerivation";
     soundconverter.sandbox.whitelistWayland = true;
     soundconverter.sandbox.extraHomePaths = [
       "Music"
@@ -875,19 +796,16 @@ in
     soundconverter.sandbox.autodetectCliPaths = "existingOrParent";
 
     sox.sandbox.method = "bwrap";
-    sox.sandbox.wrapperType = "wrappedDerivation";
     sox.sandbox.autodetectCliPaths = "existingFileOrParent";
     sox.sandbox.whitelistAudio = true;
 
     space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
     space-cadet-pinball.sandbox.method = "bwrap";
-    space-cadet-pinball.sandbox.wrapperType = "wrappedDerivation";
     space-cadet-pinball.sandbox.whitelistAudio = true;
     space-cadet-pinball.sandbox.whitelistDri = true;
     space-cadet-pinball.sandbox.whitelistWayland = true;
 
     speedtest-cli.sandbox.method = "bwrap";
-    speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
     speedtest-cli.sandbox.net = "all";
 
     sqlite = {};
@@ -895,7 +813,6 @@ in
     strace.sandbox.enable = false;  #< needs to `exec` its args, and therefore support *anything*
 
     subversion.sandbox.method = "bwrap";
-    subversion.sandbox.wrapperType = "wrappedDerivation";
     subversion.sandbox.net = "clearnet";
     subversion.sandbox.whitelistPwd = true;
     sudo.sandbox.enable = false;
@@ -908,7 +825,6 @@ in
     superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
 
     tcpdump.sandbox.method = "landlock";
-    tcpdump.sandbox.wrapperType = "wrappedDerivation";
     tcpdump.sandbox.net = "all";
     tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
     tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
@@ -918,12 +834,10 @@ in
     tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
 
     tree.sandbox.method = "landlock";
-    tree.sandbox.wrapperType = "wrappedDerivation";
     tree.sandbox.autodetectCliPaths = true;
     tree.sandbox.whitelistPwd = true;
 
     tumiki-fighters.sandbox.method = "bwrap";
-    tumiki-fighters.sandbox.wrapperType = "wrappedDerivation";
     tumiki-fighters.sandbox.whitelistAudio = true;
     tumiki-fighters.sandbox.whitelistDri = true;  #< not strictly necessary, but triples CPU perf
     tumiki-fighters.sandbox.whitelistWayland = true;
@@ -932,34 +846,28 @@ in
     util-linux.sandbox.enable = false;  #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries
 
     unzip.sandbox.method = "bwrap";
-    unzip.sandbox.wrapperType = "wrappedDerivation";
     unzip.sandbox.autodetectCliPaths = "existingOrParent";
     unzip.sandbox.whitelistPwd = true;
 
     usbutils.sandbox.method = "bwrap";  # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work
-    usbutils.sandbox.wrapperType = "wrappedDerivation";
     usbutils.sandbox.extraPaths = [
       "/sys/devices"
       "/sys/bus/usb"
     ];
 
     visidata.sandbox.method = "bwrap";  # TODO:sandbox: untested
-    visidata.sandbox.wrapperType = "wrappedDerivation";
     visidata.sandbox.autodetectCliPaths = true;
 
     # `vulkaninfo`, `vkcube`
     vulkan-tools.sandbox.method = "landlock";
-    vulkan-tools.sandbox.wrapperType = "wrappedDerivation";
 
     vvvvvv.sandbox.method = "bwrap";
-    vvvvvv.sandbox.wrapperType = "wrappedDerivation";
     vvvvvv.sandbox.whitelistAudio = true;
     vvvvvv.sandbox.whitelistDri = true;  #< playable without, but burns noticably more CPU
     vvvvvv.sandbox.whitelistWayland = true;
     vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
 
     w3m.sandbox.method = "bwrap";
-    w3m.sandbox.wrapperType = "wrappedDerivation";
     w3m.sandbox.net = "all";
     w3m.sandbox.extraHomePaths = [
       # little-used feature, but you can save web pages :)
@@ -967,11 +875,9 @@ in
     ];
 
     wdisplays.sandbox.method = "bwrap";
-    wdisplays.sandbox.wrapperType = "wrappedDerivation";
     wdisplays.sandbox.whitelistWayland = true;
 
     wget.sandbox.method = "bwrap";
-    wget.sandbox.wrapperType = "wrappedDerivation";
     wget.sandbox.net = "all";
     wget.sandbox.whitelistPwd = true;  # saves to pwd by default
 
@@ -979,16 +885,13 @@ in
 
     # `wg`, `wg-quick`
     wireguard-tools.sandbox.method = "landlock";
-    wireguard-tools.sandbox.wrapperType = "wrappedDerivation";
     wireguard-tools.sandbox.capabilities = [ "net_admin" ];
 
     # provides `iwconfig`, `iwlist`, `iwpriv`, ...
     wirelesstools.sandbox.method = "landlock";
-    wirelesstools.sandbox.wrapperType = "wrappedDerivation";
     wirelesstools.sandbox.capabilities = [ "net_admin" ];
 
     wl-clipboard.sandbox.method = "bwrap";
-    wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
     wl-clipboard.sandbox.whitelistWayland = true;
 
     wtype = {};
@@ -1005,7 +908,6 @@ in
     yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
 
     yt-dlp.sandbox.method = "bwrap";  # TODO:sandbox: untested
-    yt-dlp.sandbox.wrapperType = "wrappedDerivation";
     yt-dlp.sandbox.net = "all";
     yt-dlp.sandbox.whitelistPwd = true;  # saves to pwd by default
 

hosts/common/programs/audacity.nix

@@ -10,7 +10,6 @@
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
     sandbox.whitelistWayland = true;
     sandbox.autodetectCliPaths = true;

hosts/common/programs/bemenu.nix

@@ -88,7 +88,6 @@ in
 {
   sane.programs.bemenu = {
     sandbox.method = "bwrap";  # landlock works, but requires *all* of /run/user/$ID to be granted.
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".cache/fontconfig"  #< else it complains, and is *way* slower

hosts/common/programs/cozy.nix

@@ -3,7 +3,6 @@
 {
   sane.programs.cozy = {
     sandbox.method = "bwrap";  # landlock gives: _multiprocessing.SemLock: Permission Denied
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris
     sandbox.whitelistWayland = true;

hosts/common/programs/dconf.nix

@@ -10,7 +10,6 @@ in
 {
   sane.programs.dconf = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     persist.byStore.private = [
       ".config/dconf"
     ];

hosts/common/programs/dino.nix

@@ -46,7 +46,6 @@ in
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/element-desktop.nix

@@ -17,7 +17,6 @@
     ];
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/feedbackd.nix

@@ -25,7 +25,6 @@ in
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];
     sandbox.whitelistAudio = true;
 

hosts/common/programs/fontconfig.nix

@@ -30,7 +30,6 @@ in
 {
   sane.programs.fontconfig = {
     sandbox.method = "bwrap";  # TODO:sandbox: untested
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.autodetectCliPaths = "existingOrParent";  #< this might be overkill; or, how many programs reference fontconfig internally?
 
     persist.byStore.plaintext = [

hosts/common/programs/fractal.nix

@@ -28,7 +28,6 @@ in
     # packageUnwrapped = pkgs.fractal-next;
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/frozen-bubble.nix

@@ -3,7 +3,6 @@
 {
   sane.programs.frozen-bubble = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";  # net play
     sandbox.whitelistAudio = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/g4music.nix

@@ -9,7 +9,6 @@
 {
   sane.programs.g4music = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris
     sandbox.whitelistWayland = true;

hosts/common/programs/gdbus.nix

@@ -4,7 +4,6 @@
     packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus";
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access
   };
 }

hosts/common/programs/geary.nix

@@ -20,7 +20,6 @@ in
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistWayland = true;

hosts/common/programs/git.nix

@@ -19,7 +19,6 @@ in
       '';
     });
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistPwd = true;
     sandbox.autodetectCliPaths = true;  # necessary for git-upload-pack

hosts/common/programs/gnome-keyring/default.nix

@@ -6,7 +6,6 @@ in
   sane.programs.gnome-keyring = {
     packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring;
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];
     sandbox.extraRuntimePaths = [
       "keyring/control"

hosts/common/programs/gnome-maps.nix

@@ -3,7 +3,6 @@
   sane.programs."gnome.gnome-maps" = {
     packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps;
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDri = true;  # for perf
     sandbox.whitelistDbus = [
       "system"  # system is required for non-portal location services

hosts/common/programs/go2tv.nix

@@ -34,7 +34,6 @@ in
 {
   sane.programs.go2tv = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.autodetectCliPaths = true;
     # for GUI invocation, allow the common media directories

hosts/common/programs/gpodder.nix

@@ -23,7 +23,6 @@ in {
     });
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # it won't launch without it, dunno exactly why.
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";

hosts/common/programs/grimshot.nix

@@ -15,7 +15,6 @@
       "wl-clipboard"
     ];
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
     sandbox.whitelistDbus = [ "user" ];
     sandbox.autodetectCliPaths = "existingFileOrParent";

hosts/common/programs/gtkcord4.nix

@@ -32,7 +32,6 @@ in
       '';
     });
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/handbrake.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.handbrake = {
     sandbox.method = "landlock";  #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [

hosts/common/programs/kdenlive.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.kdenlive = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.extraHomePaths = [
       "Music"
       "Pictures/from"  # e.g. Videos taken from my phone

hosts/common/programs/komikku.nix

@@ -11,7 +11,6 @@
     });
 
     sandbox.method = "bwrap";  # TODO:sandbox untested
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # needs to connect to dconf via dbus
     sandbox.whitelistDri = true;  #< required

hosts/common/programs/koreader/default.nix

@@ -46,7 +46,6 @@ in {
   sane.programs.koreader = {
     packageUnwrapped = pkgs.koreader-from-src;
     sandbox.method = "bwrap";  # sandboxes fine under landlock too, except for FTP
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
     sandbox.whitelistWayland = true;

hosts/common/programs/lemoa.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.lemoa = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # for clicking links
     sandbox.whitelistDri = true;

hosts/common/programs/loupe.nix

@@ -12,7 +12,6 @@
     }));
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
     sandbox.autodetectCliPaths = "parent";
     sandbox.extraHomePaths = [

hosts/common/programs/megapixels.nix

@@ -10,7 +10,6 @@
     # bwrap (loupe image viewer) doesn't like to run inside landlock
     #   "bwrap: failed to make / slave: Operation not permitted"
     sandbox.method = "bwrap";  # supports landlock or bwrap
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
     sandbox.whitelistDbus = [ "user" ];  #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|

hosts/common/programs/mepo.nix

@@ -5,7 +5,6 @@
 {
   sane.programs.mepo = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "all";  # for tiles *and* for localhost comm to gpsd
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/nautilus.nix

@@ -11,7 +11,6 @@
     }));
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [

hosts/common/programs/neovim.nix

@@ -88,7 +88,6 @@ in
 {
   sane.programs.neovim = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.autodetectCliPaths = "existingOrParent";
     sandbox.whitelistWayland = true;  # for system clipboard integration
     # sandbox.whitelistPwd = true;

hosts/common/programs/nicotine-plus.nix

@@ -11,7 +11,6 @@
     });
 
     sandbox.method = "firejail";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
     sandbox.net = "vpn";
 

hosts/common/programs/nix-index.nix

@@ -3,7 +3,6 @@
   # provides `nix-locate`, backed by the manually run `nix-index`
   sane.programs.nix-index = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.extraPaths = [
       "/nix"

hosts/common/programs/notejot.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.notejot = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
     suggestedPrograms = [ "dconf" ];  #< else it can't persist notes
 

hosts/common/programs/ntfy-sh.nix

@@ -21,7 +21,6 @@ in
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
 
     secrets.".config/ntfy-sh/topic" = ../../../secrets/common/ntfy-sh-topic.bin;

hosts/common/programs/open-in-mpv.nix

@@ -3,7 +3,6 @@
 {
   sane.programs.open-in-mpv = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
 
     # taken from <https://github.com/Baldomo/open-in-mpv>

hosts/common/programs/planify.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.planify = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # for dconf? else it can't persist any tasks/notes
     sandbox.whitelistWayland = true;
 

hosts/common/programs/portfolio-filemanager.nix

@@ -3,7 +3,6 @@
   sane.programs.portfolio-filemanager = {
     # this is all taken pretty directly from nautilus config
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [

hosts/common/programs/ripgrep.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.ripgrep = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.autodetectCliPaths = true;
     sandbox.whitelistPwd = true;
     sandbox.extraHomePaths = [

hosts/common/programs/rofi/default.nix

@@ -63,7 +63,6 @@ in
     ];
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  #< to launch apps via the portal
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
@@ -118,7 +117,6 @@ in
     };
     # if i could remove the sed, then maybe possible to not sandbox.
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".cache/rofi"

hosts/common/programs/sane-scripts.nix

@@ -54,7 +54,6 @@ in
 
     "sane-scripts.bt-add".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       net = "clearnet";
       # TODO: migrate `transmission_passwd` to `secrets` api
       extraPaths = [ "/run/secrets/transmission_passwd" ];
@@ -62,7 +61,6 @@ in
 
     "sane-scripts.bt-rm".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       net = "clearnet";
       # TODO: migrate `transmission_passwd` to `secrets` api
       extraPaths = [ "/run/secrets/transmission_passwd" ];
@@ -70,7 +68,6 @@ in
 
     "sane-scripts.bt-search".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       net = "clearnet";
       # TODO: migrate `jackett_apikey` to `secrets` api
       extraPaths = [ "/run/secrets/jackett_apikey" ];
@@ -78,7 +75,6 @@ in
 
     "sane-scripts.bt-show".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       net = "clearnet";
       # TODO: migrate `transmission_passwd` to `secrets` api
       extraPaths = [ "/run/secrets/transmission_passwd" ];
@@ -90,13 +86,11 @@ in
 
     "sane-scripts.deadlines".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       extraHomePaths = [ "knowledge/planner/deadlines.tsv" ];
     };
 
     "sane-scripts.dev-cargo-loop".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       net = "clearnet";
       whitelistPwd = true;
       extraPaths = [
@@ -110,7 +104,6 @@ in
 
     "sane-scripts.find-dotfiles".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       extraHomePaths = [
         "/"
         ".persist/ephemeral"
@@ -120,7 +113,6 @@ in
 
     "sane-scripts.ip-check".sandbox = {
       method = "landlock";
-      wrapperType = "wrappedDerivation";
       net = "all";
     };
 
@@ -128,7 +120,6 @@ in
 
     "sane-scripts.private-change-passwd".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       autodetectCliPaths = "existing";  #< for the new `private` location
       capabilities = [ "sys_admin" ];  # it needs to mount the new store
       extraHomePaths = [
@@ -140,7 +131,6 @@ in
       # instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
       # this actually has an OK side effect, that the mount isn't shared, and so we avoid contention/interleaving that would cause the ending `umount` to fail.
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       # cap_sys_admin is needed to mount stuff.
       # ordinarily /run/wrappers/bin/mount would do that via setuid, but sandboxes have no_new_privs by default.
       capabilities = [ "sys_admin" ];
@@ -151,7 +141,6 @@ in
     };
     "sane-scripts.private-init".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       capabilities = [ "sys_admin" ];  # it needs to mount the new store
       extraHomePaths = [
         ".persist/private"
@@ -162,7 +151,6 @@ in
 
     "sane-scripts.reclaim-boot-space".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       extraPaths = [ "/boot" ];
     };
 
@@ -173,7 +161,6 @@ in
 
     "sane-scripts.reboot".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       extraPaths = [
         "/run/dbus"
         "/run/systemd"
@@ -182,13 +169,11 @@ in
 
     "sane-scripts.reclaim-disk-space".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       extraPaths = [ "/nix/var/nix" ];
     };
 
     "sane-scripts.secrets-unlock".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       extraHomePaths = [
         ".ssh/id_ed25519"
         ".ssh/id_ed25519.pub"
@@ -214,7 +199,6 @@ in
 
     "sane-scripts.shutdown".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       extraPaths = [
         "/run/dbus"
         "/run/systemd"
@@ -231,7 +215,6 @@ in
 
     "sane-scripts.tag-music".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       autodetectCliPaths = "existing";
     };
 
@@ -256,7 +239,6 @@ in
       (builtins.attrNames config.sane.vpn);
     "sane-scripts.vpn".sandbox = {
       method = "landlock";  #< bwrap can't handle `ip link` stuff even with cap_net_admin
-      wrapperType = "wrappedDerivation";
       net = "all";
       capabilities = [ "net_admin" ];
       extraHomePaths = [ ".config/sane-vpn" ];
@@ -264,7 +246,6 @@ in
 
     "sane-scripts.which".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       extraHomePaths = [
         # for SXMO
         ".config/sxmo/hooks"
@@ -273,7 +254,6 @@ in
 
     "sane-scripts.wipe".sandbox = {
       method = "bwrap";
-      wrapperType = "wrappedDerivation";
       whitelistDbus = [ "user" ];  #< for `secret-tool` and `systemd --user stop <service>
       extraHomePaths = [
         # could be more specific, but at a maintenance cost.

hosts/common/programs/sfeed.nix

@@ -17,7 +17,6 @@ let
 in {
   sane.programs.sfeed = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
 
     fs.".sfeed/sfeedrc".symlink.text = ''

hosts/common/programs/signal-desktop.nix

@@ -23,7 +23,6 @@ in
 
     packageUnwrapped = pkgs.signal-desktop-from-src;
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistWayland = true;

hosts/common/programs/splatmoji.nix

@@ -6,7 +6,6 @@
 {
   sane.programs.splatmoji = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;  # it calls into a dmenu helper
     sandbox.extraHomePaths = [
       ".cache/rofi"

hosts/common/programs/spot.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.spot = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris

hosts/common/programs/supertuxkart.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.superTuxKart = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";  # net play
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;

hosts/common/programs/swaylock.nix

@@ -5,7 +5,6 @@ in
 {
   sane.programs.swaylock = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.extraPaths = [
       # N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
       # swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,

hosts/common/programs/swaynotificationcenter.nix

@@ -141,7 +141,6 @@ in
     }));
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [
       "user"  # mpris; portal

hosts/common/programs/tangram.nix

@@ -30,7 +30,6 @@ in
     slowToBuild = true;  # only true for cross-compiled tangram
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;

hosts/common/programs/tuba.nix

@@ -2,7 +2,6 @@
 {
   sane.programs.tuba = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications

hosts/common/programs/unl0kr/default.nix

@@ -132,7 +132,6 @@ in
     # N.B.: this sandboxing applies to `unl0kr` itself -- the on-screen-keyboard;
     #       NOT to the wrapper which invokes `login`.
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDri = true;
     sandbox.extraPaths = [
       "/dev/fb0"

hosts/common/programs/vlc.nix

@@ -15,7 +15,6 @@ in
       samba = null;
     };
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.autodetectCliPaths = true;
     sandbox.whitelistAudio = true;

hosts/common/programs/waybar/default.nix

@@ -57,7 +57,6 @@ in
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "all";  #< to show net connection status and BW
     sandbox.whitelistDbus = [
       "user"  #< for playerctl/media

hosts/common/programs/waylock.nix

@@ -7,7 +7,6 @@ in
 {
   sane.programs.waylock = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.extraPaths = [
       # N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
       # waylock seems (?) to offload password checking to pam's `unix_chkpwd`,

hosts/common/programs/wireplumber.nix

@@ -5,7 +5,6 @@ in
 {
   sane.programs.wireplumber = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [
       # i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
       # "system"

hosts/common/programs/wireshark.nix

@@ -5,7 +5,6 @@ in
 {
   sane.programs.wireshark = {
     sandbox.method = "landlock";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
     sandbox.net = "all";
     sandbox.capabilities = [ "net_admin" "net_raw" ];

hosts/common/programs/wob/default.nix

@@ -32,7 +32,6 @@ in
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
 
     fs.".config/wob/wob.ini".symlink.text = ''

hosts/common/programs/xarchiver.nix

@@ -7,7 +7,6 @@
     };
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "archive"

hosts/common/programs/xdg-desktop-portal-gtk.nix

@@ -8,7 +8,6 @@ in
     packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk;
 
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [

hosts/common/programs/xdg-desktop-portal-wlr.nix

@@ -8,7 +8,6 @@ in
     packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr;
 
     sandbox.method = "bwrap";  # TODO:sandbox: untested
-    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
     sandbox.whitelistWayland = true;
 

modules/programs/default.nix

@@ -316,7 +316,7 @@ let
       };
       sandbox.wrapperType = mkOption {
         type = types.enum [ "inplace" "wrappedDerivation" ];
-        default = "inplace";
+        default = "wrappedDerivation";
         description = ''
           how to manipulate the `packageUnwrapped` derivation in order to achieve sandboxing.
           - inplace: applies an override to `packageUnwrapped`, so that all `bin/` files are sandboxed,
@@ -327,7 +327,6 @@ let
           "inplace" is more reliable, but "wrappedDerivation" is more lightweight (doesn't force any rebuilds).
           the biggest gap in "wrappedDerivation" is that it doesn't link anything outside `bin/`, except for
           some limited (verified safe) support for `share/applications/*.desktop`
-          "wrappedDerivation" is mostly good for prototyping.
         '';
       };
       sandbox.autodetectCliPaths = mkOption {