WIP: megapixels: sandbox

hosts/common/programs/default.nix

@@ -51,6 +51,7 @@
     ./lemoa.nix
     ./loupe.nix
     ./mako.nix
+    ./megapixels.nix
     ./mepo.nix
     ./mimeo
     ./mopidy.nix

hosts/common/programs/megapixels.nix

@@ -0,0 +1,20 @@
+{ ... }:
+{
+  sane.programs.megapixels = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "tmp"
+      "Pictures"
+    ];
+    sandbox.extraPaths = [
+      # needs /dev/media*, /dev/video*; easier to give it all of /dev which isn't that bad since it's not running as root.
+      "/dev"
+      # it passes the raw .dng files to a post-processor, via /tmp
+      "/tmp"
+    ];
+    # TODO: surely needs access to the camera device, etc.
+  };
+}