{ lib, nixosConfig, pkgs, ... }:
let
  # TODO: Do not hardcode /dev/{sr0,sg3} (right paths on fuuko)
  makemkv-sandbox = pkgs.writeShellScriptBin "makemkv-sandbox" /* bash */ ''
    set -euo pipefail
    mkdir -p $HOME/.MakeMKV
    ${pkgs.bubblewrap}/bin/bwrap \
        --tmpfs /tmp \
        --proc /proc \
        --dev /dev \
        --unshare-all \
        --share-net \
        --die-with-parent \
        --ro-bind /nix/store /nix/store \
        --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \
        --ro-bind $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY \
        --new-session \
        --bind $HOME/.MakeMKV $HOME/.MakeMKV \
        --dev-bind-try /dev/sr0 /dev/sr0 \
        --dev-bind-try /dev/sg3 /dev/sg3 \
        --dev-bind-try /sys/bus/scsi /sys/bus/scsi \
        --bind ''${PWD_TARGET:-$PWD} ''${PWD_TARGET:-$PWD} \
        ${pkgs.unstable.makemkv}/bin/makemkv
  '';
in
lib.mkIf ((nixosConfig.sbruder.gui.enable || nixosConfig.networking.hostName == "fuuko") && nixosConfig.sbruder.unfree.allowSoftware) {
  home.packages = with pkgs; [
    makemkv-sandbox
    waypipe
  ];
}