nix-files/modules/programs/make-sandbox-profile.nix

{ lib
, writeTextFile }:

{ pkgName
, method
, allowedHomePaths ? []
, allowedRootPaths ? []
, autodetectCliPaths ? false
, capabilities ? []
, dns ? null
, netDev ? null
, whitelistPwd ? false
, extraConfig ? []
}:
let
  allowPath = p: [
    "--sane-sandbox-path"
    p
  ];
  allowHomePath = p: [
    "--sane-sandbox-home-path"
    p
  ];
  allowPaths = paths: lib.flatten (builtins.map allowPath paths);
  allowHomePaths = paths: lib.flatten (builtins.map allowHomePath paths);

  capabilityFlags = lib.flatten (builtins.map (c: [ "--sane-sandbox-cap" c ]) capabilities);

  netItems = lib.optionals (netDev != null) [
    "--sane-sandbox-net"
    netDev
  ] ++ lib.optionals (dns != null) (
    lib.flatten (builtins.map
      (addr: [ "--sane-sandbox-dns" addr ])
      dns
    )
  );

  sandboxFlags = [
    "--sane-sandbox-method" method
  ]
    ++ netItems
    ++ allowPaths allowedRootPaths
    ++ allowHomePaths allowedHomePaths
    ++ capabilityFlags
    ++ lib.optionals (autodetectCliPaths != null) [ "--sane-sandbox-autodetect" autodetectCliPaths ]
    ++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
    ++ extraConfig;

in
  writeTextFile {
    name = "${pkgName}-sandbox-profiles";
    destination = "/share/sane-sandboxed/profiles/${pkgName}.profile";
    text = builtins.concatStringsSep "\n" sandboxFlags;
  }