{ config, lib, pkgs, ... }:
let
  cfg = config.sane.programs;
in
{
  sane.programs.sanebox = {
    packageUnwrapped = (pkgs.sanebox.override {
      bubblewrap = cfg.bubblewrap.package;
      iproute2 = cfg.iproute2.package;
      iptables = cfg.iptables.package;
      libcap = cfg.capsh.package;  #< the sandboxer doesn't use any other libcap binaries
      passt = cfg.passt.package;
      landlock-sandboxer = cfg.landlock-sandboxer.package;
      # landlock-sandboxer = pkgs.landlock-sandboxer.override {
      #   # not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
      #   # the sandboxer may nag about one or the other wanting to be updated.
      #   linux = config.boot.kernelPackages.kernel;
      # };
    }).overrideAttrs (base: {
      # create a directory which holds just the `sanebox` so that we
      # can add sanebox as a dependency to binaries via `PATH=/run/current-system/libexec/sanebox` without forcing rebuild every time sanebox changes
      postInstall = ''
        mkdir -p $out/libexec/sanebox
        ln -s $out/bin/sanebox $out/libexec/sanebox/sanebox
      '';
    });

    sandbox.enable = false;
  };

  environment.pathsToLink = lib.mkIf cfg.sanebox.enabled [ "/libexec/sanebox" ];
}