simple nixos wrapper module

flake.nix

@@ -1,6 +1,8 @@
 {
-  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
-  inputs.systems.url = "github:nix-systems/default-linux";
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+    systems.url = "github:nix-systems/default-linux";
+  };
 
   outputs =
     {
@@ -34,10 +36,13 @@
         yoke-lite = pkgs.rustPlatform.callPackage ./nix/package.nix { };
       });
       nixosModules.default =
-        { pkgs, ... }:
+        { pkgs, lib, ... }:
         {
-          imports = [ ./nix/module.nix ];
-          programs.yoke.package = self.packages.${pkgs.system}.yoke;
+          config = {
+            imports = [ ./nix/module.nix ];
+            wrapperPkg = self.packages.${pkgs.system}.yoke-lite;
+            environment.systemPackages = [ self.packages.${pkgs.system}.yoke ];
+          };
         };
     };
 }

nix/module.nix

@@ -0,0 +1,89 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkOption mkPackageOption types;
+  strNotEmpty = s: lib.stringLength s != 0;
+  wrapperType = lib.types.submodule {
+    options = {
+      package = mkPackageOption "wrapped" { } {
+        nullable = false;
+      };
+      executable = mkOption {
+        type = types.str;
+        default = "";
+      };
+      args = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      env = mkOption {
+        type = types.attrsOf (types.listOf types.str);
+        default = { };
+      };
+      retainEnv = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      addPwd = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+  };
+in
+{
+  options = {
+    wrappers = mkOption {
+      type = types.attrsOf wrapperType;
+    };
+    wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; };
+  };
+  config =
+    let
+      wrap =
+        name: opts:
+        let
+          envs = lib.concatStringsSep " " (
+            lib.mapAttrsToList (n: v: "${n}=${lib.concatStringsSep ":" v}") opts.env
+          );
+          sandboxArgs = pkgs.stdenvNoCC.mkDerivation {
+            name = "${name}-opts";
+            __structuredAttrs = true;
+            exportReferencesGraph.closure = [ opts.package ];
+            preferLocalBuild = true;
+            nativeBuildInputs = [
+              pkgs.coreutils
+              pkgs.jq
+            ];
+            buildCommand = ''
+              echo -n "--fs rx=" > $out
+              jq -r '.closure[].path' < "$NIX_ATTRS_JSON_FILE" \
+                | tr '\n' ':' | sed 's/:$//' >> $out
+              ${if (strNotEmpty envs) then "echo -n ' --env ${envs}' >> $out" else ""}
+            '';
+          };
+          command = lib.getExe' opts.package (
+            if (strNotEmpty opts.executable) then opts.executable else opts.package.pname
+          );
+          wrappedArgs = lib.concatStringsSep " " opts.args;
+          script = ''
+            #! /usr/bin/env bash
+            ${lib.getExe' config.wrapperPkg "yoke"} \
+              ${if opts.addPwd then "--fs rwx=$PWD" else ""} \
+              ${if opts.retainEnv then "--retain-env" else ""} \
+              --fd-args -- \
+              ${command} \
+              ${wrappedArgs} $@ \
+              3< ${sandboxArgs}
+          '';
+        in
+        pkgs.writeScriptBin "${name}" script;
+    in
+    {
+      environment.systemPackages = lib.mapAttrsToList wrap config.wrappers;
+    };
+}

src/main.rs

@@ -46,8 +46,8 @@ rules
     env vars:
         --env | -e [key]=[value]
 
-    clear inherited env vars:
-        --clear-env | -c
+    retain inherited env vars:
+        --retain-env | -r
 
     allow use of external unix domain sockets:
         --sockets | -s