{ config, ... }:
let
  cfg = config.sane.programs.wireplumber;
in
{
  sane.programs.wireplumber = {
    sandbox.method = "bwrap";
    sandbox.wrapperType = "inplace";  #< it ships systemd files in a non-standard /lib/systemd dir
    sandbox.whitelistDbus = [
      # i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
      # "system"
      "user"
    ];
    sandbox.whitelistAudio = true;
    sandbox.extraPaths = [
      # i think these video inputs (for e.g. webcam) are optional.
      "/dev/media0"
      "/dev/snd"
      "/dev/video0"
      "/dev/video1"
      "/run/systemd"
      "/run/udev"
      "/sys/class/sound"
      "/sys/class/video4linux"
      "/sys/devices"
    ];

    persist.byStore.plaintext = [
      # persist per-device volume levels
      ".local/state/wireplumber"
    ];

    services.wireplumber = {
      description = "wireplumber: pipewire Multimedia Service Session Manager";
      after = [ "pipewire.service" ];
      bindsTo = [ "pipewire.service" ];
      wantedBy = [ "pipewire.service" ];
      serviceConfig = {
        ExecStart = "${cfg.package}/bin/wireplumber";
        Type = "simple";
        Restart = "always";
        RestartSec = "5s";
      };
    };
  };
}