Making Nixpak a system module and daydreaming about Sisyphus' happiness

I’ve been banging my head against Nix for the past few weeks in an attempt to turn Nixpak into a system module for NixOS. The basic idea is to have something similar to the Firejail security module that already exists, but configured entirely in Nix instead of relying on external files on /etc. Now, the thing is I am not very good with Nix, not to say that I am utterly incompetent. I’ve been trying, but I keep getting thousand line traces I do not know how to interpret.

My plan is to:

  1. Define a module for Nixpak
  2. mkIf an overlay with nixpaked packages in case the module was activated
  3. Let the user define their own configurations for each package’s sandbox in a map
  4. Wrap the user’s given configs in a mkNixPak call and add their packages to the overlay map

Here is what I have:

{ config, lib, pkgs, ... }:

let
  cfg = config.security.nixpak;
  nixpakModule = import ../modules;
  mkNixPak = nixpakModule { inherit pkgs lib; };
in {
  options.security.nixpak = {
    enable = lib.mkEnableOption "nixpak";

    apps = with lib.types; lib.mkOption {
      #type = attrsOf (submodule nixpakModule) # I do not know how to use submodule;
      type = lib.types.anything;
      default = {};
      description = ''
        Wrap the binaries in nixpak and overlay the originals
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    nixpkgs.overlays = [
        (final: prev: 
          builtins.mapAttrs 
            (
              package: nixPakConfig:
                mkNixPak { config = (nixPakConfig); }
            ) cfg.apps
        )
    ];
  };
}

I get the following error, even though I am almost sure Nixpak should be the one handling sloth:

error: function 'hello' called without required argument 'sloth'

       at /home/neirenoir/projects/kopikita/security.nix:10:15:

            9|     apps = {
           10|       hello = { sloth, ... }: {
             |               ^
           11|         app.package = pkgs.hello;

This is the conversation for the idea on how to implement this. Could someone more competent than me chime in and tell me what am I doing wrong? To be honest I do not even know if my plan is sound or if there is a better approach for this.

Thanks in advance!

Bumping this, as I am still interested. I can try to provide a tar with a mock system configuration where everything is already set up to attempt a build-vm.