{ lib, nixosConfig, pkgs, ... }:
let
  # TODO: Do not hardcode /dev/{sr0,sg2} (right paths on sayuri)
  makemkv-sandbox = pkgs.writeShellScriptBin "makemkv-sandbox" /* bash */ ''
    set -euo pipefail
    mkdir -p $HOME/.MakeMKV
    ${pkgs.bubblewrap}/bin/bwrap \
        --tmpfs /tmp \
        --proc /proc \
        --dev /dev \
        --unshare-all \
        --die-with-parent \
        --ro-bind /nix/store /nix/store \
        --dev-bind /dev/dri /dev/dri \
        --ro-bind /sys/dev/char /sys/dev/char \
        --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \
        --ro-bind $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY \
        --ro-bind /run/opengl-driver /run/opengl-driver \
        --ro-bind /etc/fonts /etc/fonts \
        --new-session \
        --bind $HOME/.MakeMKV $HOME/.MakeMKV \
        --dev-bind-try /dev/sr0 /dev/sr0 \
        --dev-bind-try /dev/sg2 /dev/sg2 \
        --dev-bind-try /sys/bus/scsi /sys/bus/scsi \
        --bind ''${PWD_TARGET:-$PWD} ''${PWD_TARGET:-$PWD} \
        ${pkgs.unstable.makemkv}/bin/makemkv
  '';
in
lib.mkIf (nixosConfig.sbruder.gui.enable && nixosConfig.sbruder.unfree.allowSoftware) {
  home.packages = [
    makemkv-sandbox
  ];
}