diff --git a/modules/unfree.nix b/modules/unfree.nix
index 904fe04..9c42ea3 100644
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@@ -32,6 +32,7 @@ in
         "drone-runner-exec" # exception: same as drone.io
         "drone.io" # exception: is open source (but has usage restriction)
         "fahclient" # exception: for science
+        "makemkv" # exception: runs in sandbox, only way to get DRM garbage to work properly
         "p7zip" # exception: rar source code is not free, but available; p7zip with `enableUnfree` includes it
 
         # games (okay if they run sandboxed)
diff --git a/users/simon/modules/default.nix b/users/simon/modules/default.nix
index 3d32cb0..e36c7df 100644
--- a/users/simon/modules/default.nix
+++ b/users/simon/modules/default.nix
@@ -9,6 +9,7 @@
     ./gtk.nix
     ./htop.nix
     ./logitech.nix
+    ./makemkv.nix
     ./misc.nix
     ./mpd.nix
     ./mpv
diff --git a/users/simon/modules/makemkv.nix b/users/simon/modules/makemkv.nix
new file mode 100644
index 0000000..04a8342
--- /dev/null
+++ b/users/simon/modules/makemkv.nix
@@ -0,0 +1,32 @@
+{ lib, nixosConfig, pkgs, ... }:
+let
+  # TODO: Do not hardcode /dev/{sr0,sg2} (right paths on sayuri)
+  makemkv-sandbox = pkgs.writeShellScriptBin "makemkv-sandbox" /* bash */ ''
+    set -euo pipefail
+    ${pkgs.bubblewrap}/bin/bwrap \
+        --tmpfs /tmp \
+        --proc /proc \
+        --dev /dev \
+        --unshare-all \
+        --die-with-parent \
+        --ro-bind /nix/store /nix/store \
+        --dev-bind /dev/dri /dev/dri \
+        --ro-bind /sys/dev/char /sys/dev/char \
+        --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \
+        --ro-bind $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY \
+        --ro-bind /run/opengl-driver /run/opengl-driver \
+        --ro-bind /etc/fonts /etc/fonts \
+        --new-session \
+        --bind /home/simon/.MakeMKV /home/simon/.MakeMKV \
+        --dev-bind /dev/sr0 /dev/sr0 \
+        --dev-bind /dev/sg2 /dev/sg2 \
+        --dev-bind /sys/bus/scsi /sys/bus/scsi \
+        --bind $PWD $PWD \
+        ${pkgs.unstable.makemkv}/bin/makemkv
+  '';
+in
+lib.mkIf (nixosConfig.sbruder.gui.enable && nixosConfig.sbruder.unfree.allowSoftware) {
+  home.packages = [
+    makemkv-sandbox
+  ];
+}