{ lib, stdenv
, bash
, bubblewrap
, firejail
, landlock-sandboxer
, libcap
, substituteAll
, profileDir ? "/share/sanebox/profiles"
}:
stdenv.mkDerivation {
  pname = "sanebox";
  version = "0.1";

  src = ./sanebox;
  dontUnpack = true;

  buildInputs = [
    bash  # for cross builds, to ensure #!/bin/sh is substituted
  ];

  buildPhase = ''
    runHook preBuild
    substitute $src sanebox \
      --replace-fail '@bwrap@' '${lib.getExe bubblewrap}' \
      --replace-fail '@firejail@' '${lib.getExe' firejail "firejail"}' \
      --replace-fail '@landlockSandboxer@' '${lib.getExe landlock-sandboxer}' \
      --replace-fail '@capsh@' '${lib.getExe' libcap "capsh"}'
    runHook postBuild
  '';

  installPhase = ''
    runHook preInstall
    install -d "$out"
    install -d "$out/bin"
    install -m 755 sanebox $out/bin/sanebox
    runHook postInstall
  '';

  meta = {
    description = ''
      helper program to run some other program in a sandbox.
      factoring this out allows:
      1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).
      2. to modify sandbox settings without forcing a rebuild of the sandboxed package.
    '';
    mainProgram = "sanebox";
  };
}