wg-home-refresh: use the sandboxed wireguard-tools

modules/vpn.nix

@@ -185,7 +185,7 @@ let
       # periodically re-apply peers, to ensure DNS mappings stay fresh
       # borrowed from <repo:nixos/nixpkgs:nixos/modules/services/networking/wireguard.nix>
       wantedBy = [ "network.target" ];
-      path = with pkgs; [ wireguard-tools ];
+      path = [ config.sane.programs.wireguard-tools.package ];
       serviceConfig.Restart = "always";
       serviceConfig.RestartSec = "60"; #< retry delay when we fail (because e.g. there's no network)
       serviceConfig.Type = "simple";
@@ -215,6 +215,7 @@ let
       serviceConfig.SystemCallArchitectures = "native";
       serviceConfig.SystemCallFilter = [
         "@system-service"
+        "@sandbox"
         "~@chown"
         "~@cpu-emulation"
         "~@keyring"