From fe10640821ce6c98bfa278abc455610c7a831047 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 2 Mar 2024 20:46:49 +0000
Subject: [PATCH] wob-pulse: sandbox

---
 hosts/common/programs/wob/default.nix | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/hosts/common/programs/wob/default.nix b/hosts/common/programs/wob/default.nix
index 48c379eb..923b70c8 100644
--- a/hosts/common/programs/wob/default.nix
+++ b/hosts/common/programs/wob/default.nix
@@ -26,7 +26,7 @@ in
         };
         options.sock = mkOption {
           type = types.str;
-          default = "sxmo.wobsock";
+          default = "sxmo.wobsock";  #< TODO: rename this!
         };
       };
     };
@@ -34,6 +34,10 @@ in
     sandbox.method = "bwrap";
     sandbox.whitelistWayland = true;
 
+    suggestedPrograms = [
+      "wob-pulse"
+    ];
+
     fs.".config/wob/wob.ini".symlink.text = ''
       timeout = 900
 
@@ -83,9 +87,26 @@ in
       '';
       environment.WOBSOCK_NAME = cfg.config.sock;
     };
+  };
+
+  sane.programs.wob-pulse = {
+    packageUnwrapped = wob-pulse;
+    sandbox.method = "bwrap";
+    sandbox.whitelistAudio = true;
+    sandbox.extraRuntimePaths = [
+      cfg.config.sock
+    ];
+
+    suggestedPrograms = [
+      # "coreutils"
+      "gnugrep"
+      "gnused"
+      "pulseaudio"  #< TODO: replace with just the one binary we need.
+    ];
 
     services.wob-pulse = {
       description = "wob-pulse: monitor pulseaudio and display volume changes on-screen";
+      after = [ "wob.service" ];
       wantedBy = [ "wob.service" ];
       serviceConfig = {
         ExecStart = "${wob-pulse}/bin/wob-pulse";