Function( Function { head: Destructured( FunctionHeadDestructured { ellipsis: true, identifier: None, arguments: [ FunctionHeadDestructuredArgument { identifier: "config", default: None, }, FunctionHeadDestructuredArgument { identifier: "pkgs", default: None, }, FunctionHeadDestructuredArgument { identifier: "lib", default: None, }, FunctionHeadDestructuredArgument { identifier: "utils", default: None, }, ], }, ), body: LetIn( LetIn { bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "toplevelConfig", span: Span { start: Position { line: 4, column: 3, }, end: Position { line: 4, column: 17, }, }, }, ), ], to: Identifier( Identifier { id: "config", span: Span { start: Position { line: 4, column: 20, }, end: Position { line: 4, column: 26, }, }, }, ), }, ), Inherit( BindingInherit { from: Some( Identifier( Identifier { id: "lib", span: Span { start: Position { line: 5, column: 12, }, end: Position { line: 5, column: 15, }, }, }, ), ), attributes: [ Raw( PartRaw { content: "types", span: Span { start: Position { line: 5, column: 17, }, end: Position { line: 5, column: 22, }, }, }, ), ], span: Span { start: Position { line: 3, column: 4, }, end: Position { line: 5, column: 23, }, }, }, ), Inherit( BindingInherit { from: Some( PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "utils", span: Span { start: Position { line: 6, column: 12, }, end: Position { line: 6, column: 17, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "systemdUtils", span: Span { start: Position { line: 6, column: 18, }, end: Position { line: 6, column: 30, }, }, }, ), Raw( PartRaw { content: "lib", span: Span { start: Position { line: 6, column: 31, }, end: Position { line: 6, column: 34, }, }, }, ), ], default: None, }, ), ), attributes: [ Raw( PartRaw { content: "mkPathSafeName", span: Span { start: Position { line: 6, column: 36, }, end: Position { line: 6, column: 50, }, }, }, ), ], span: Span { start: Position { line: 3, column: 4, }, end: Position { line: 6, column: 51, }, }, }, ), ], target: Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "options", span: Span { start: Position { line: 8, column: 3, }, end: Position { line: 8, column: 10, }, }, }, ), Raw( PartRaw { content: "systemd", span: Span { start: Position { line: 8, column: 11, }, end: Position { line: 8, column: 18, }, }, }, ), Raw( PartRaw { content: "services", span: Span { start: Position { line: 8, column: 19, }, end: Position { line: 8, column: 27, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 8, column: 30, }, end: Position { line: 8, column: 33, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkOption", span: Span { start: Position { line: 8, column: 34, }, end: Position { line: 8, column: 42, }, }, }, ), ], default: None, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 9, column: 5, }, end: Position { line: 9, column: 9, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 9, column: 12, }, end: Position { line: 9, column: 17, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "attrsOf", span: Span { start: Position { line: 9, column: 18, }, end: Position { line: 9, column: 25, }, }, }, ), ], default: None, }, ), arguments: [ FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 9, column: 27, }, end: Position { line: 9, column: 32, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "submodule", span: Span { start: Position { line: 9, column: 33, }, end: Position { line: 9, column: 42, }, }, }, ), ], default: None, }, ), arguments: [ Function( Function { head: Destructured( FunctionHeadDestructured { ellipsis: true, identifier: None, arguments: [ FunctionHeadDestructuredArgument { identifier: "name", default: None, }, FunctionHeadDestructuredArgument { identifier: "config", default: None, }, ], }, ), body: Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "options", span: Span { start: Position { line: 10, column: 7, }, end: Position { line: 10, column: 14, }, }, }, ), Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 10, column: 15, }, end: Position { line: 10, column: 26, }, }, }, ), Raw( PartRaw { content: "enable", span: Span { start: Position { line: 10, column: 27, }, end: Position { line: 10, column: 33, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 10, column: 36, }, end: Position { line: 10, column: 39, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkOption", span: Span { start: Position { line: 10, column: 40, }, end: Position { line: 10, column: 48, }, }, }, ), ], default: None, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 11, column: 9, }, end: Position { line: 11, column: 13, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 11, column: 16, }, end: Position { line: 11, column: 21, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "bool", span: Span { start: Position { line: 11, column: 22, }, end: Position { line: 11, column: 26, }, }, }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 12, column: 9, }, end: Position { line: 12, column: 16, }, }, }, ), ], to: Identifier( Identifier { id: "false", span: Span { start: Position { line: 12, column: 19, }, end: Position { line: 12, column: 24, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 13, column: 9, }, end: Position { line: 13, column: 20, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 13, column: 23, }, end: Position { line: 13, column: 26, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 13, column: 27, }, end: Position { line: 13, column: 32, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "If set, all the required runtime store paths for this service are\nbind-mounted into a `tmpfs`-based\n{manpage}`chroot(2)`.\n", span: Span { start: Position { line: 14, column: 1, }, end: Position { line: 17, column: 9, }, }, }, ), ], span: Span { start: Position { line: 13, column: 33, }, end: Position { line: 17, column: 11, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 10, column: 49, }, end: Position { line: 18, column: 8, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "options", span: Span { start: Position { line: 20, column: 7, }, end: Position { line: 20, column: 14, }, }, }, ), Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 20, column: 15, }, end: Position { line: 20, column: 26, }, }, }, ), Raw( PartRaw { content: "fullUnit", span: Span { start: Position { line: 20, column: 27, }, end: Position { line: 20, column: 35, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 20, column: 38, }, end: Position { line: 20, column: 41, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkOption", span: Span { start: Position { line: 20, column: 42, }, end: Position { line: 20, column: 50, }, }, }, ), ], default: None, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 21, column: 9, }, end: Position { line: 21, column: 13, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 21, column: 16, }, end: Position { line: 21, column: 21, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "bool", span: Span { start: Position { line: 21, column: 22, }, end: Position { line: 21, column: 26, }, }, }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 22, column: 9, }, end: Position { line: 22, column: 16, }, }, }, ), ], to: Identifier( Identifier { id: "false", span: Span { start: Position { line: 22, column: 19, }, end: Position { line: 22, column: 24, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 23, column: 9, }, end: Position { line: 23, column: 20, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 23, column: 23, }, end: Position { line: 23, column: 26, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 23, column: 27, }, end: Position { line: 23, column: 32, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "Whether to include the full closure of the systemd unit file into the\nchroot, instead of just the dependencies for the executables.\n\n::: {.warning}\nWhile it may be tempting to just enable this option to\nmake things work quickly, please be aware that this might add paths\nto the closure of the chroot that you didn't anticipate. It's better\nto use {option}`confinement.packages` to **explicitly** add additional store paths to the\nchroot.\n:::\n", span: Span { start: Position { line: 24, column: 1, }, end: Position { line: 34, column: 9, }, }, }, ), ], span: Span { start: Position { line: 23, column: 33, }, end: Position { line: 34, column: 11, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 20, column: 51, }, end: Position { line: 35, column: 8, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "options", span: Span { start: Position { line: 37, column: 7, }, end: Position { line: 37, column: 14, }, }, }, ), Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 37, column: 15, }, end: Position { line: 37, column: 26, }, }, }, ), Raw( PartRaw { content: "packages", span: Span { start: Position { line: 37, column: 27, }, end: Position { line: 37, column: 35, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 37, column: 38, }, end: Position { line: 37, column: 41, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkOption", span: Span { start: Position { line: 37, column: 42, }, end: Position { line: 37, column: 50, }, }, }, ), ], default: None, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 38, column: 9, }, end: Position { line: 38, column: 13, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 38, column: 16, }, end: Position { line: 38, column: 21, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "listOf", span: Span { start: Position { line: 38, column: 22, }, end: Position { line: 38, column: 28, }, }, }, ), ], default: None, }, ), arguments: [ FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 38, column: 30, }, end: Position { line: 38, column: 35, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "either", span: Span { start: Position { line: 38, column: 36, }, end: Position { line: 38, column: 42, }, }, }, ), ], default: None, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 38, column: 43, }, end: Position { line: 38, column: 48, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "str", span: Span { start: Position { line: 38, column: 49, }, end: Position { line: 38, column: 52, }, }, }, ), ], default: None, }, ), PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 38, column: 53, }, end: Position { line: 38, column: 58, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "package", span: Span { start: Position { line: 38, column: 59, }, end: Position { line: 38, column: 66, }, }, }, ), ], default: None, }, ), ], }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 39, column: 9, }, end: Position { line: 39, column: 16, }, }, }, ), ], to: List( List { elements: [], span: Span { start: Position { line: 39, column: 19, }, end: Position { line: 39, column: 21, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 40, column: 9, }, end: Position { line: 40, column: 20, }, }, }, ), ], to: LetIn( LetIn { bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "mkScOption", span: Span { start: Position { line: 41, column: 11, }, end: Position { line: 41, column: 21, }, }, }, ), ], to: Function( Function { head: Simple( FunctionHeadSimple { identifier: "optName", }, ), body: String( String_ { parts: [ Raw( PartRaw { content: "{option}`serviceConfig.", span: Span { start: Position { line: 41, column: 34, }, end: Position { line: 41, column: 67, }, }, }, ), Interpolation( PartInterpolation { expression: Identifier( Identifier { id: "optName", span: Span { start: Position { line: 41, column: 59, }, end: Position { line: 41, column: 66, }, }, }, ), }, ), Raw( PartRaw { content: "`", span: Span { start: Position { line: 41, column: 34, }, end: Position { line: 41, column: 68, }, }, }, ), ], span: Span { start: Position { line: 41, column: 33, }, end: Position { line: 41, column: 69, }, }, }, ), span: Span { start: Position { line: 41, column: 24, }, end: Position { line: 41, column: 69, }, }, }, ), }, ), ], target: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 42, column: 12, }, end: Position { line: 42, column: 15, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 42, column: 16, }, end: Position { line: 42, column: 21, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "Additional packages or strings with context to add to the closure of\nthe chroot. By default, this includes all the packages from the\n", span: Span { start: Position { line: 43, column: 1, }, end: Position { line: 45, column: 11, }, }, }, ), Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 45, column: 13, }, end: Position { line: 45, column: 16, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "concatMapStringsSep", span: Span { start: Position { line: 45, column: 17, }, end: Position { line: 45, column: 36, }, }, }, ), ], default: None, }, ), arguments: [ String( String_ { parts: [ Raw( PartRaw { content: ", ", span: Span { start: Position { line: 45, column: 38, }, end: Position { line: 45, column: 40, }, }, }, ), ], span: Span { start: Position { line: 45, column: 37, }, end: Position { line: 45, column: 41, }, }, }, ), Identifier( Identifier { id: "mkScOption", span: Span { start: Position { line: 45, column: 42, }, end: Position { line: 45, column: 52, }, }, }, ), List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "ExecReload", span: Span { start: Position { line: 46, column: 14, }, end: Position { line: 46, column: 24, }, }, }, ), ], span: Span { start: Position { line: 46, column: 13, }, end: Position { line: 46, column: 25, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStartPost", span: Span { start: Position { line: 46, column: 27, }, end: Position { line: 46, column: 40, }, }, }, ), ], span: Span { start: Position { line: 46, column: 26, }, end: Position { line: 46, column: 41, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStartPre", span: Span { start: Position { line: 46, column: 43, }, end: Position { line: 46, column: 55, }, }, }, ), ], span: Span { start: Position { line: 46, column: 42, }, end: Position { line: 46, column: 56, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStop", span: Span { start: Position { line: 46, column: 58, }, end: Position { line: 46, column: 66, }, }, }, ), ], span: Span { start: Position { line: 46, column: 57, }, end: Position { line: 46, column: 67, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStopPost", span: Span { start: Position { line: 47, column: 14, }, end: Position { line: 47, column: 26, }, }, }, ), ], span: Span { start: Position { line: 47, column: 13, }, end: Position { line: 47, column: 27, }, }, }, ), ], span: Span { start: Position { line: 45, column: 53, }, end: Position { line: 48, column: 12, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: " and ", span: Span { start: Position { line: 43, column: 1, }, end: Position { line: 48, column: 18, }, }, }, ), Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkScOption", span: Span { start: Position { line: 48, column: 20, }, end: Position { line: 48, column: 30, }, }, }, ), arguments: [ String( String_ { parts: [ Raw( PartRaw { content: "ExecStart", span: Span { start: Position { line: 48, column: 32, }, end: Position { line: 48, column: 41, }, }, }, ), ], span: Span { start: Position { line: 48, column: 31, }, end: Position { line: 48, column: 42, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: " options. If you want to have all the\ndependencies of this systemd unit, you can use\n{option}`confinement.fullUnit`.\n\n::: {.note}\nThe store paths listed in {option}`path` are\n**not** included in the closure as\nwell as paths from other options except those listed\nabove.\n:::\n", span: Span { start: Position { line: 43, column: 1, }, end: Position { line: 58, column: 9, }, }, }, ), ], span: Span { start: Position { line: 42, column: 22, }, end: Position { line: 58, column: 11, }, }, }, ), ], }, ), span: Span { start: Position { line: 40, column: 23, }, end: Position { line: 58, column: 11, }, }, }, ), }, ), ], span: Span { start: Position { line: 37, column: 51, }, end: Position { line: 59, column: 8, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "options", span: Span { start: Position { line: 61, column: 7, }, end: Position { line: 61, column: 14, }, }, }, ), Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 61, column: 15, }, end: Position { line: 61, column: 26, }, }, }, ), Raw( PartRaw { content: "binSh", span: Span { start: Position { line: 61, column: 27, }, end: Position { line: 61, column: 32, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 61, column: 35, }, end: Position { line: 61, column: 38, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkOption", span: Span { start: Position { line: 61, column: 39, }, end: Position { line: 61, column: 47, }, }, }, ), ], default: None, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 62, column: 9, }, end: Position { line: 62, column: 13, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 62, column: 16, }, end: Position { line: 62, column: 21, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "nullOr", span: Span { start: Position { line: 62, column: 22, }, end: Position { line: 62, column: 28, }, }, }, ), ], default: None, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 62, column: 29, }, end: Position { line: 62, column: 34, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "path", span: Span { start: Position { line: 62, column: 35, }, end: Position { line: 62, column: 39, }, }, }, ), ], default: None, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 63, column: 9, }, end: Position { line: 63, column: 16, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "toplevelConfig", span: Span { start: Position { line: 63, column: 19, }, end: Position { line: 63, column: 33, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "environment", span: Span { start: Position { line: 63, column: 34, }, end: Position { line: 63, column: 45, }, }, }, ), Raw( PartRaw { content: "binsh", span: Span { start: Position { line: 63, column: 46, }, end: Position { line: 63, column: 51, }, }, }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "defaultText", span: Span { start: Position { line: 64, column: 9, }, end: Position { line: 64, column: 20, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 64, column: 23, }, end: Position { line: 64, column: 26, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "literalExpression", span: Span { start: Position { line: 64, column: 27, }, end: Position { line: 64, column: 44, }, }, }, ), ], default: None, }, ), arguments: [ String( String_ { parts: [ Raw( PartRaw { content: "config.environment.binsh", span: Span { start: Position { line: 64, column: 46, }, end: Position { line: 64, column: 70, }, }, }, ), ], span: Span { start: Position { line: 64, column: 45, }, end: Position { line: 64, column: 71, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "example", span: Span { start: Position { line: 65, column: 9, }, end: Position { line: 65, column: 16, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 65, column: 19, }, end: Position { line: 65, column: 22, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "literalExpression", span: Span { start: Position { line: 65, column: 23, }, end: Position { line: 65, column: 40, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "\"", span: Span { start: Position { line: 65, column: 43, }, end: Position { line: 65, column: 44, }, }, }, ), Raw( PartRaw { content: "$", span: Span { start: Position { line: 65, column: 43, }, end: Position { line: 65, column: 47, }, }, }, ), Raw( PartRaw { content: "{pkgs.dash}/bin/dash\"", span: Span { start: Position { line: 65, column: 43, }, end: Position { line: 65, column: 68, }, }, }, ), ], span: Span { start: Position { line: 65, column: 41, }, end: Position { line: 65, column: 70, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 66, column: 9, }, end: Position { line: 66, column: 20, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 66, column: 23, }, end: Position { line: 66, column: 26, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 66, column: 27, }, end: Position { line: 66, column: 32, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "The program to make available as {file}`/bin/sh` inside\nthe chroot. If this is set to `null`, no\n{file}`/bin/sh` is provided at all.\n\nThis is useful for some applications, which for example use the\n{manpage}`system(3)` library function to execute commands.\n", span: Span { start: Position { line: 67, column: 1, }, end: Position { line: 73, column: 9, }, }, }, ), ], span: Span { start: Position { line: 66, column: 33, }, end: Position { line: 73, column: 11, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 61, column: 48, }, end: Position { line: 74, column: 8, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "options", span: Span { start: Position { line: 76, column: 7, }, end: Position { line: 76, column: 14, }, }, }, ), Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 76, column: 15, }, end: Position { line: 76, column: 26, }, }, }, ), Raw( PartRaw { content: "mode", span: Span { start: Position { line: 76, column: 27, }, end: Position { line: 76, column: 31, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 76, column: 34, }, end: Position { line: 76, column: 37, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkOption", span: Span { start: Position { line: 76, column: 38, }, end: Position { line: 76, column: 46, }, }, }, ), ], default: None, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 77, column: 9, }, end: Position { line: 77, column: 13, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 77, column: 16, }, end: Position { line: 77, column: 21, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "enum", span: Span { start: Position { line: 77, column: 22, }, end: Position { line: 77, column: 26, }, }, }, ), ], default: None, }, ), arguments: [ List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "full-apivfs", span: Span { start: Position { line: 77, column: 30, }, end: Position { line: 77, column: 41, }, }, }, ), ], span: Span { start: Position { line: 77, column: 29, }, end: Position { line: 77, column: 42, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "chroot-only", span: Span { start: Position { line: 77, column: 44, }, end: Position { line: 77, column: 55, }, }, }, ), ], span: Span { start: Position { line: 77, column: 43, }, end: Position { line: 77, column: 56, }, }, }, ), ], span: Span { start: Position { line: 77, column: 27, }, end: Position { line: 77, column: 58, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 78, column: 9, }, end: Position { line: 78, column: 16, }, }, }, ), ], to: String( String_ { parts: [ Raw( PartRaw { content: "full-apivfs", span: Span { start: Position { line: 78, column: 20, }, end: Position { line: 78, column: 31, }, }, }, ), ], span: Span { start: Position { line: 78, column: 19, }, end: Position { line: 78, column: 32, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 79, column: 9, }, end: Position { line: 79, column: 20, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 79, column: 23, }, end: Position { line: 79, column: 26, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 79, column: 27, }, end: Position { line: 79, column: 32, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "The value `full-apivfs` (the default) sets up\nprivate {file}`/dev`, {file}`/proc`,\n{file}`/sys` and {file}`/tmp` file systems in a separate user\nname space.\n\nIf this is set to `chroot-only`, only the file\nsystem name space is set up along with the call to\n{manpage}`chroot(2)`.\n\n::: {.note}\nThis doesn't cover network namespaces and is solely for\nfile system level isolation.\n:::\n", span: Span { start: Position { line: 80, column: 1, }, end: Position { line: 93, column: 9, }, }, }, ), ], span: Span { start: Position { line: 79, column: 33, }, end: Position { line: 93, column: 11, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 76, column: 47, }, end: Position { line: 94, column: 8, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "config", span: Span { start: Position { line: 96, column: 7, }, end: Position { line: 96, column: 13, }, }, }, ), ], to: LetIn( LetIn { bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "rootName", span: Span { start: Position { line: 97, column: 9, }, end: Position { line: 97, column: 17, }, }, }, ), ], to: String( String_ { parts: [ Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkPathSafeName", span: Span { start: Position { line: 97, column: 23, }, end: Position { line: 97, column: 37, }, }, }, ), arguments: [ Identifier( Identifier { id: "name", span: Span { start: Position { line: 97, column: 38, }, end: Position { line: 97, column: 42, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: "-chroot", span: Span { start: Position { line: 97, column: 21, }, end: Position { line: 97, column: 50, }, }, }, ), ], span: Span { start: Position { line: 97, column: 20, }, end: Position { line: 97, column: 51, }, }, }, ), }, ), Inherit( BindingInherit { from: Some( PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 98, column: 18, }, end: Position { line: 98, column: 24, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 98, column: 25, }, end: Position { line: 98, column: 36, }, }, }, ), ], default: None, }, ), ), attributes: [ Raw( PartRaw { content: "binSh", span: Span { start: Position { line: 98, column: 38, }, end: Position { line: 98, column: 43, }, }, }, ), Raw( PartRaw { content: "fullUnit", span: Span { start: Position { line: 98, column: 44, }, end: Position { line: 98, column: 52, }, }, }, ), ], span: Span { start: Position { line: 96, column: 19, }, end: Position { line: 98, column: 53, }, }, }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "wantsAPIVFS", span: Span { start: Position { line: 99, column: 9, }, end: Position { line: 99, column: 20, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 99, column: 23, }, end: Position { line: 99, column: 26, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkDefault", span: Span { start: Position { line: 99, column: 27, }, end: Position { line: 99, column: 36, }, }, }, ), ], default: None, }, ), arguments: [ BinaryOperation( BinaryOperation { left: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 99, column: 38, }, end: Position { line: 99, column: 44, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 99, column: 45, }, end: Position { line: 99, column: 56, }, }, }, ), Raw( PartRaw { content: "mode", span: Span { start: Position { line: 99, column: 57, }, end: Position { line: 99, column: 61, }, }, }, ), ], default: None, }, ), operator: EqualTo, right: String( String_ { parts: [ Raw( PartRaw { content: "full-apivfs", span: Span { start: Position { line: 99, column: 66, }, end: Position { line: 99, column: 77, }, }, }, ), ], span: Span { start: Position { line: 99, column: 65, }, end: Position { line: 99, column: 78, }, }, }, ), }, ), ], }, ), }, ), ], target: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 100, column: 10, }, end: Position { line: 100, column: 13, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkIf", span: Span { start: Position { line: 100, column: 14, }, end: Position { line: 100, column: 18, }, }, }, ), ], default: None, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 100, column: 19, }, end: Position { line: 100, column: 25, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 100, column: 26, }, end: Position { line: 100, column: 37, }, }, }, ), Raw( PartRaw { content: "enable", span: Span { start: Position { line: 100, column: 38, }, end: Position { line: 100, column: 44, }, }, }, ), ], default: None, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "serviceConfig", span: Span { start: Position { line: 101, column: 9, }, end: Position { line: 101, column: 22, }, }, }, ), ], to: Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "RootDirectory", span: Span { start: Position { line: 102, column: 11, }, end: Position { line: 102, column: 24, }, }, }, ), ], to: String( String_ { parts: [ Raw( PartRaw { content: "/var/empty", span: Span { start: Position { line: 102, column: 28, }, end: Position { line: 102, column: 38, }, }, }, ), ], span: Span { start: Position { line: 102, column: 27, }, end: Position { line: 102, column: 39, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "TemporaryFileSystem", span: Span { start: Position { line: 103, column: 11, }, end: Position { line: 103, column: 30, }, }, }, ), ], to: String( String_ { parts: [ Raw( PartRaw { content: "/", span: Span { start: Position { line: 103, column: 34, }, end: Position { line: 103, column: 35, }, }, }, ), ], span: Span { start: Position { line: 103, column: 33, }, end: Position { line: 103, column: 36, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "PrivateMounts", span: Span { start: Position { line: 104, column: 11, }, end: Position { line: 104, column: 24, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 104, column: 27, }, end: Position { line: 104, column: 30, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkDefault", span: Span { start: Position { line: 104, column: 31, }, end: Position { line: 104, column: 40, }, }, }, ), ], default: None, }, ), arguments: [ Identifier( Identifier { id: "true", span: Span { start: Position { line: 104, column: 41, }, end: Position { line: 104, column: 45, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "MountAPIVFS", span: Span { start: Position { line: 117, column: 11, }, end: Position { line: 117, column: 22, }, }, }, ), ], to: Identifier( Identifier { id: "wantsAPIVFS", span: Span { start: Position { line: 117, column: 25, }, end: Position { line: 117, column: 36, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "PrivateDevices", span: Span { start: Position { line: 118, column: 11, }, end: Position { line: 118, column: 25, }, }, }, ), ], to: Identifier( Identifier { id: "wantsAPIVFS", span: Span { start: Position { line: 118, column: 28, }, end: Position { line: 118, column: 39, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "PrivateTmp", span: Span { start: Position { line: 119, column: 11, }, end: Position { line: 119, column: 21, }, }, }, ), ], to: Identifier( Identifier { id: "wantsAPIVFS", span: Span { start: Position { line: 119, column: 24, }, end: Position { line: 119, column: 35, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "PrivateUsers", span: Span { start: Position { line: 120, column: 11, }, end: Position { line: 120, column: 23, }, }, }, ), ], to: Identifier( Identifier { id: "wantsAPIVFS", span: Span { start: Position { line: 120, column: 26, }, end: Position { line: 120, column: 37, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "ProtectControlGroups", span: Span { start: Position { line: 121, column: 11, }, end: Position { line: 121, column: 31, }, }, }, ), ], to: Identifier( Identifier { id: "wantsAPIVFS", span: Span { start: Position { line: 121, column: 34, }, end: Position { line: 121, column: 45, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "ProtectKernelModules", span: Span { start: Position { line: 122, column: 11, }, end: Position { line: 122, column: 31, }, }, }, ), ], to: Identifier( Identifier { id: "wantsAPIVFS", span: Span { start: Position { line: 122, column: 34, }, end: Position { line: 122, column: 45, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "ProtectKernelTunables", span: Span { start: Position { line: 123, column: 11, }, end: Position { line: 123, column: 32, }, }, }, ), ], to: Identifier( Identifier { id: "wantsAPIVFS", span: Span { start: Position { line: 123, column: 35, }, end: Position { line: 123, column: 46, }, }, }, ), }, ), ], span: Span { start: Position { line: 101, column: 25, }, end: Position { line: 124, column: 10, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 125, column: 9, }, end: Position { line: 125, column: 20, }, }, }, ), Raw( PartRaw { content: "packages", span: Span { start: Position { line: 125, column: 21, }, end: Position { line: 125, column: 29, }, }, }, ), ], to: LetIn( LetIn { bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "execOpts", span: Span { start: Position { line: 126, column: 11, }, end: Position { line: 126, column: 19, }, }, }, ), ], to: List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "ExecReload", span: Span { start: Position { line: 127, column: 14, }, end: Position { line: 127, column: 24, }, }, }, ), ], span: Span { start: Position { line: 127, column: 13, }, end: Position { line: 127, column: 25, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStart", span: Span { start: Position { line: 127, column: 27, }, end: Position { line: 127, column: 36, }, }, }, ), ], span: Span { start: Position { line: 127, column: 26, }, end: Position { line: 127, column: 37, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStartPost", span: Span { start: Position { line: 127, column: 39, }, end: Position { line: 127, column: 52, }, }, }, ), ], span: Span { start: Position { line: 127, column: 38, }, end: Position { line: 127, column: 53, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStartPre", span: Span { start: Position { line: 127, column: 55, }, end: Position { line: 127, column: 67, }, }, }, ), ], span: Span { start: Position { line: 127, column: 54, }, end: Position { line: 127, column: 68, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStop", span: Span { start: Position { line: 127, column: 70, }, end: Position { line: 127, column: 78, }, }, }, ), ], span: Span { start: Position { line: 127, column: 69, }, end: Position { line: 127, column: 79, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "ExecStopPost", span: Span { start: Position { line: 128, column: 14, }, end: Position { line: 128, column: 26, }, }, }, ), ], span: Span { start: Position { line: 128, column: 13, }, end: Position { line: 128, column: 27, }, }, }, ), ], span: Span { start: Position { line: 126, column: 22, }, end: Position { line: 129, column: 12, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "execPkgs", span: Span { start: Position { line: 130, column: 11, }, end: Position { line: 130, column: 19, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 130, column: 22, }, end: Position { line: 130, column: 25, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "concatMap", span: Span { start: Position { line: 130, column: 26, }, end: Position { line: 130, column: 35, }, }, }, ), ], default: None, }, ), arguments: [ Function( Function { head: Simple( FunctionHeadSimple { identifier: "opt", }, ), body: LetIn( LetIn { bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "isSet", span: Span { start: Position { line: 131, column: 13, }, end: Position { line: 131, column: 18, }, }, }, ), ], to: HasAttribute( HasAttribute { expression: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 131, column: 21, }, end: Position { line: 131, column: 27, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "serviceConfig", span: Span { start: Position { line: 131, column: 28, }, end: Position { line: 131, column: 41, }, }, }, ), ], default: None, }, ), attribute_path: [ Interpolation( PartInterpolation { expression: Identifier( Identifier { id: "opt", span: Span { start: Position { line: 131, column: 46, }, end: Position { line: 131, column: 49, }, }, }, ), }, ), ], }, ), }, ), ], target: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 132, column: 14, }, end: Position { line: 132, column: 17, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "flatten", span: Span { start: Position { line: 132, column: 18, }, end: Position { line: 132, column: 25, }, }, }, ), ], default: None, }, ), arguments: [ FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 132, column: 27, }, end: Position { line: 132, column: 30, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "optional", span: Span { start: Position { line: 132, column: 31, }, end: Position { line: 132, column: 39, }, }, }, ), ], default: None, }, ), arguments: [ Identifier( Identifier { id: "isSet", span: Span { start: Position { line: 132, column: 40, }, end: Position { line: 132, column: 45, }, }, }, ), PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 132, column: 46, }, end: Position { line: 132, column: 52, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "serviceConfig", span: Span { start: Position { line: 132, column: 53, }, end: Position { line: 132, column: 66, }, }, }, ), Interpolation( PartInterpolation { expression: Identifier( Identifier { id: "opt", span: Span { start: Position { line: 132, column: 69, }, end: Position { line: 132, column: 72, }, }, }, ), }, ), ], default: None, }, ), ], }, ), ], }, ), span: Span { start: Position { line: 130, column: 42, }, end: Position { line: 132, column: 74, }, }, }, ), span: Span { start: Position { line: 130, column: 37, }, end: Position { line: 132, column: 74, }, }, }, ), Identifier( Identifier { id: "execOpts", span: Span { start: Position { line: 132, column: 76, }, end: Position { line: 132, column: 84, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "unitAttrs", span: Span { start: Position { line: 133, column: 11, }, end: Position { line: 133, column: 20, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "toplevelConfig", span: Span { start: Position { line: 133, column: 23, }, end: Position { line: 133, column: 37, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "systemd", span: Span { start: Position { line: 133, column: 38, }, end: Position { line: 133, column: 45, }, }, }, ), Raw( PartRaw { content: "units", span: Span { start: Position { line: 133, column: 46, }, end: Position { line: 133, column: 51, }, }, }, ), Expression( PartExpression { expression: String( String_ { parts: [ Interpolation( PartInterpolation { expression: Identifier( Identifier { id: "name", span: Span { start: Position { line: 133, column: 55, }, end: Position { line: 133, column: 59, }, }, }, ), }, ), Raw( PartRaw { content: ".service", span: Span { start: Position { line: 133, column: 53, }, end: Position { line: 133, column: 68, }, }, }, ), ], span: Span { start: Position { line: 133, column: 52, }, end: Position { line: 133, column: 69, }, }, }, ), }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "allPkgs", span: Span { start: Position { line: 134, column: 11, }, end: Position { line: 134, column: 18, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 134, column: 21, }, end: Position { line: 134, column: 24, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "singleton", span: Span { start: Position { line: 134, column: 25, }, end: Position { line: 134, column: 34, }, }, }, ), ], default: None, }, ), arguments: [ FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "builtins", span: Span { start: Position { line: 134, column: 36, }, end: Position { line: 134, column: 44, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "toJSON", span: Span { start: Position { line: 134, column: 45, }, end: Position { line: 134, column: 51, }, }, }, ), ], default: None, }, ), arguments: [ Identifier( Identifier { id: "unitAttrs", span: Span { start: Position { line: 134, column: 52, }, end: Position { line: 134, column: 61, }, }, }, ), ], }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "unitPkgs", span: Span { start: Position { line: 135, column: 11, }, end: Position { line: 135, column: 19, }, }, }, ), ], to: IfThenElse( IfThenElse { predicate: Identifier( Identifier { id: "fullUnit", span: Span { start: Position { line: 135, column: 25, }, end: Position { line: 135, column: 33, }, }, }, ), then: Identifier( Identifier { id: "allPkgs", span: Span { start: Position { line: 135, column: 39, }, end: Position { line: 135, column: 46, }, }, }, ), else_: Identifier( Identifier { id: "execPkgs", span: Span { start: Position { line: 135, column: 52, }, end: Position { line: 135, column: 60, }, }, }, ), span: Span { start: Position { line: 135, column: 22, }, end: Position { line: 135, column: 60, }, }, }, ), }, ), ], target: BinaryOperation( BinaryOperation { left: Identifier( Identifier { id: "unitPkgs", span: Span { start: Position { line: 136, column: 12, }, end: Position { line: 136, column: 20, }, }, }, ), operator: Concatenation, right: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 136, column: 24, }, end: Position { line: 136, column: 27, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "optional", span: Span { start: Position { line: 136, column: 28, }, end: Position { line: 136, column: 36, }, }, }, ), ], default: None, }, ), arguments: [ BinaryOperation( BinaryOperation { left: Identifier( Identifier { id: "binSh", span: Span { start: Position { line: 136, column: 38, }, end: Position { line: 136, column: 43, }, }, }, ), operator: NotEqualTo, right: Identifier( Identifier { id: "null", span: Span { start: Position { line: 136, column: 47, }, end: Position { line: 136, column: 51, }, }, }, ), }, ), Identifier( Identifier { id: "binSh", span: Span { start: Position { line: 136, column: 53, }, end: Position { line: 136, column: 58, }, }, }, ), ], }, ), }, ), span: Span { start: Position { line: 125, column: 32, }, end: Position { line: 136, column: 58, }, }, }, ), }, ), ], span: Span { start: Position { line: 100, column: 45, }, end: Position { line: 137, column: 8, }, }, }, ), ], }, ), span: Span { start: Position { line: 96, column: 16, }, end: Position { line: 137, column: 8, }, }, }, ), }, ), ], span: Span { start: Position { line: 9, column: 67, }, end: Position { line: 138, column: 6, }, }, }, ), span: Span { start: Position { line: 9, column: 44, }, end: Position { line: 138, column: 6, }, }, }, ), ], }, ), ], }, ), }, ), ], span: Span { start: Position { line: 8, column: 43, }, end: Position { line: 139, column: 4, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "config", span: Span { start: Position { line: 141, column: 3, }, end: Position { line: 141, column: 9, }, }, }, ), Raw( PartRaw { content: "assertions", span: Span { start: Position { line: 141, column: 10, }, end: Position { line: 141, column: 20, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 141, column: 23, }, end: Position { line: 141, column: 26, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "concatLists", span: Span { start: Position { line: 141, column: 27, }, end: Position { line: 141, column: 38, }, }, }, ), ], default: None, }, ), arguments: [ FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 141, column: 40, }, end: Position { line: 141, column: 43, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mapAttrsToList", span: Span { start: Position { line: 141, column: 44, }, end: Position { line: 141, column: 58, }, }, }, ), ], default: None, }, ), arguments: [ Function( Function { head: Simple( FunctionHeadSimple { identifier: "name", }, ), body: Function( Function { head: Simple( FunctionHeadSimple { identifier: "cfg", }, ), body: LetIn( LetIn { bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "whatOpt", span: Span { start: Position { line: 142, column: 5, }, end: Position { line: 142, column: 12, }, }, }, ), ], to: Function( Function { head: Simple( FunctionHeadSimple { identifier: "optName", }, ), body: BinaryOperation( BinaryOperation { left: BinaryOperation( BinaryOperation { left: String( String_ { parts: [ Raw( PartRaw { content: "The 'serviceConfig' option '", span: Span { start: Position { line: 142, column: 25, }, end: Position { line: 142, column: 63, }, }, }, ), Interpolation( PartInterpolation { expression: Identifier( Identifier { id: "optName", span: Span { start: Position { line: 142, column: 55, }, end: Position { line: 142, column: 62, }, }, }, ), }, ), Raw( PartRaw { content: "' for", span: Span { start: Position { line: 142, column: 25, }, end: Position { line: 142, column: 68, }, }, }, ), ], span: Span { start: Position { line: 142, column: 24, }, end: Position { line: 142, column: 69, }, }, }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " service '", span: Span { start: Position { line: 143, column: 24, }, end: Position { line: 143, column: 41, }, }, }, ), Interpolation( PartInterpolation { expression: Identifier( Identifier { id: "name", span: Span { start: Position { line: 143, column: 36, }, end: Position { line: 143, column: 40, }, }, }, ), }, ), Raw( PartRaw { content: "' is enabled in conjunction with", span: Span { start: Position { line: 143, column: 24, }, end: Position { line: 143, column: 73, }, }, }, ), ], span: Span { start: Position { line: 143, column: 23, }, end: Position { line: 143, column: 74, }, }, }, ), }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " 'confinement.enable'", span: Span { start: Position { line: 144, column: 24, }, end: Position { line: 144, column: 45, }, }, }, ), ], span: Span { start: Position { line: 144, column: 23, }, end: Position { line: 144, column: 46, }, }, }, ), }, ), span: Span { start: Position { line: 142, column: 15, }, end: Position { line: 144, column: 46, }, }, }, ), }, ), ], target: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 145, column: 6, }, end: Position { line: 145, column: 9, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "optionals", span: Span { start: Position { line: 145, column: 10, }, end: Position { line: 145, column: 19, }, }, }, ), ], default: None, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 145, column: 20, }, end: Position { line: 145, column: 23, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 145, column: 24, }, end: Position { line: 145, column: 35, }, }, }, ), Raw( PartRaw { content: "enable", span: Span { start: Position { line: 145, column: 36, }, end: Position { line: 145, column: 42, }, }, }, ), ], default: None, }, ), List( List { elements: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "assertion", span: Span { start: Position { line: 146, column: 7, }, end: Position { line: 146, column: 16, }, }, }, ), ], to: UnaryOperation( UnaryOperation { operator: Not, operand: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 146, column: 20, }, end: Position { line: 146, column: 23, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "serviceConfig", span: Span { start: Position { line: 146, column: 24, }, end: Position { line: 146, column: 37, }, }, }, ), Raw( PartRaw { content: "RootDirectoryStartOnly", span: Span { start: Position { line: 146, column: 38, }, end: Position { line: 146, column: 60, }, }, }, ), ], default: Some( Identifier( Identifier { id: "false", span: Span { start: Position { line: 146, column: 64, }, end: Position { line: 146, column: 69, }, }, }, ), ), }, ), span: Span { start: Position { line: 146, column: 19, }, end: Position { line: 146, column: 69, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "message", span: Span { start: Position { line: 147, column: 7, }, end: Position { line: 147, column: 14, }, }, }, ), ], to: BinaryOperation( BinaryOperation { left: BinaryOperation( BinaryOperation { left: BinaryOperation( BinaryOperation { left: String( String_ { parts: [ Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "whatOpt", span: Span { start: Position { line: 147, column: 20, }, end: Position { line: 147, column: 27, }, }, }, ), arguments: [ String( String_ { parts: [ Raw( PartRaw { content: "RootDirectoryStartOnly", span: Span { start: Position { line: 147, column: 29, }, end: Position { line: 147, column: 51, }, }, }, ), ], span: Span { start: Position { line: 147, column: 28, }, end: Position { line: 147, column: 52, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: ", but right now systemd", span: Span { start: Position { line: 147, column: 18, }, end: Position { line: 147, column: 76, }, }, }, ), ], span: Span { start: Position { line: 147, column: 17, }, end: Position { line: 147, column: 77, }, }, }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " doesn't support restricting bind-mounts to 'ExecStart'.", span: Span { start: Position { line: 148, column: 18, }, end: Position { line: 148, column: 74, }, }, }, ), ], span: Span { start: Position { line: 148, column: 17, }, end: Position { line: 148, column: 75, }, }, }, ), }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " Please either define a separate service or find a way to run", span: Span { start: Position { line: 149, column: 18, }, end: Position { line: 149, column: 79, }, }, }, ), ], span: Span { start: Position { line: 149, column: 17, }, end: Position { line: 149, column: 80, }, }, }, ), }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " commands other than ExecStart within the chroot.", span: Span { start: Position { line: 150, column: 18, }, end: Position { line: 150, column: 67, }, }, }, ), ], span: Span { start: Position { line: 150, column: 17, }, end: Position { line: 150, column: 68, }, }, }, ), }, ), }, ), ], span: Span { start: Position { line: 146, column: 5, }, end: Position { line: 151, column: 6, }, }, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "assertion", span: Span { start: Position { line: 152, column: 7, }, end: Position { line: 152, column: 16, }, }, }, ), ], to: UnaryOperation( UnaryOperation { operator: Not, operand: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 152, column: 20, }, end: Position { line: 152, column: 23, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "serviceConfig", span: Span { start: Position { line: 152, column: 24, }, end: Position { line: 152, column: 37, }, }, }, ), Raw( PartRaw { content: "DynamicUser", span: Span { start: Position { line: 152, column: 38, }, end: Position { line: 152, column: 49, }, }, }, ), ], default: Some( Identifier( Identifier { id: "false", span: Span { start: Position { line: 152, column: 53, }, end: Position { line: 152, column: 58, }, }, }, ), ), }, ), span: Span { start: Position { line: 152, column: 19, }, end: Position { line: 152, column: 58, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "message", span: Span { start: Position { line: 153, column: 7, }, end: Position { line: 153, column: 14, }, }, }, ), ], to: BinaryOperation( BinaryOperation { left: BinaryOperation( BinaryOperation { left: String( String_ { parts: [ Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "whatOpt", span: Span { start: Position { line: 153, column: 20, }, end: Position { line: 153, column: 27, }, }, }, ), arguments: [ String( String_ { parts: [ Raw( PartRaw { content: "DynamicUser", span: Span { start: Position { line: 153, column: 29, }, end: Position { line: 153, column: 40, }, }, }, ), ], span: Span { start: Position { line: 153, column: 28, }, end: Position { line: 153, column: 41, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: ". Please create a dedicated user via", span: Span { start: Position { line: 153, column: 18, }, end: Position { line: 153, column: 78, }, }, }, ), ], span: Span { start: Position { line: 153, column: 17, }, end: Position { line: 153, column: 79, }, }, }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " the 'users.users' option instead as this combination is", span: Span { start: Position { line: 154, column: 18, }, end: Position { line: 154, column: 74, }, }, }, ), ], span: Span { start: Position { line: 154, column: 17, }, end: Position { line: 154, column: 75, }, }, }, ), }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " currently not supported.", span: Span { start: Position { line: 155, column: 18, }, end: Position { line: 155, column: 43, }, }, }, ), ], span: Span { start: Position { line: 155, column: 17, }, end: Position { line: 155, column: 44, }, }, }, ), }, ), }, ), ], span: Span { start: Position { line: 152, column: 5, }, end: Position { line: 156, column: 6, }, }, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "assertion", span: Span { start: Position { line: 157, column: 7, }, end: Position { line: 157, column: 16, }, }, }, ), ], to: BinaryOperation( BinaryOperation { left: HasAttribute( HasAttribute { expression: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 157, column: 19, }, end: Position { line: 157, column: 22, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "serviceConfig", span: Span { start: Position { line: 157, column: 23, }, end: Position { line: 157, column: 36, }, }, }, ), ], default: None, }, ), attribute_path: [ Raw( PartRaw { content: "ProtectSystem", span: Span { start: Position { line: 157, column: 39, }, end: Position { line: 157, column: 52, }, }, }, ), ], }, ), operator: Implication, right: BinaryOperation( BinaryOperation { left: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 157, column: 56, }, end: Position { line: 157, column: 59, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "serviceConfig", span: Span { start: Position { line: 157, column: 60, }, end: Position { line: 157, column: 73, }, }, }, ), Raw( PartRaw { content: "ProtectSystem", span: Span { start: Position { line: 157, column: 74, }, end: Position { line: 157, column: 87, }, }, }, ), ], default: None, }, ), operator: EqualTo, right: Identifier( Identifier { id: "false", span: Span { start: Position { line: 157, column: 91, }, end: Position { line: 157, column: 96, }, }, }, ), }, ), }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "message", span: Span { start: Position { line: 158, column: 7, }, end: Position { line: 158, column: 14, }, }, }, ), ], to: BinaryOperation( BinaryOperation { left: BinaryOperation( BinaryOperation { left: String( String_ { parts: [ Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "whatOpt", span: Span { start: Position { line: 158, column: 20, }, end: Position { line: 158, column: 27, }, }, }, ), arguments: [ String( String_ { parts: [ Raw( PartRaw { content: "ProtectSystem", span: Span { start: Position { line: 158, column: 29, }, end: Position { line: 158, column: 42, }, }, }, ), ], span: Span { start: Position { line: 158, column: 28, }, end: Position { line: 158, column: 43, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: ". ProtectSystem is not compatible", span: Span { start: Position { line: 158, column: 18, }, end: Position { line: 158, column: 77, }, }, }, ), ], span: Span { start: Position { line: 158, column: 17, }, end: Position { line: 158, column: 78, }, }, }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " with service confinement as it fails to remount /usr within", span: Span { start: Position { line: 159, column: 18, }, end: Position { line: 159, column: 78, }, }, }, ), ], span: Span { start: Position { line: 159, column: 17, }, end: Position { line: 159, column: 79, }, }, }, ), }, ), operator: Addition, right: String( String_ { parts: [ Raw( PartRaw { content: " our chroot. Please disable the option.", span: Span { start: Position { line: 160, column: 18, }, end: Position { line: 160, column: 57, }, }, }, ), ], span: Span { start: Position { line: 160, column: 17, }, end: Position { line: 160, column: 58, }, }, }, ), }, ), }, ), ], span: Span { start: Position { line: 157, column: 5, }, end: Position { line: 161, column: 6, }, }, }, ), ], span: Span { start: Position { line: 145, column: 43, }, end: Position { line: 162, column: 4, }, }, }, ), ], }, ), span: Span { start: Position { line: 141, column: 71, }, end: Position { line: 162, column: 4, }, }, }, ), span: Span { start: Position { line: 141, column: 66, }, end: Position { line: 162, column: 4, }, }, }, ), span: Span { start: Position { line: 141, column: 60, }, end: Position { line: 162, column: 4, }, }, }, ), PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 162, column: 6, }, end: Position { line: 162, column: 12, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "systemd", span: Span { start: Position { line: 162, column: 13, }, end: Position { line: 162, column: 20, }, }, }, ), Raw( PartRaw { content: "services", span: Span { start: Position { line: 162, column: 21, }, end: Position { line: 162, column: 29, }, }, }, ), ], default: None, }, ), ], }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "config", span: Span { start: Position { line: 164, column: 3, }, end: Position { line: 164, column: 9, }, }, }, ), Raw( PartRaw { content: "systemd", span: Span { start: Position { line: 164, column: 10, }, end: Position { line: 164, column: 17, }, }, }, ), Raw( PartRaw { content: "packages", span: Span { start: Position { line: 164, column: 18, }, end: Position { line: 164, column: 26, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 164, column: 29, }, end: Position { line: 164, column: 32, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "concatLists", span: Span { start: Position { line: 164, column: 33, }, end: Position { line: 164, column: 44, }, }, }, ), ], default: None, }, ), arguments: [ FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 164, column: 46, }, end: Position { line: 164, column: 49, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mapAttrsToList", span: Span { start: Position { line: 164, column: 50, }, end: Position { line: 164, column: 64, }, }, }, ), ], default: None, }, ), arguments: [ Function( Function { head: Simple( FunctionHeadSimple { identifier: "name", }, ), body: Function( Function { head: Simple( FunctionHeadSimple { identifier: "cfg", }, ), body: LetIn( LetIn { bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "rootPaths", span: Span { start: Position { line: 165, column: 5, }, end: Position { line: 165, column: 14, }, }, }, ), ], to: LetIn( LetIn { bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "contents", span: Span { start: Position { line: 166, column: 7, }, end: Position { line: 166, column: 15, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 166, column: 18, }, end: Position { line: 166, column: 21, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "concatStringsSep", span: Span { start: Position { line: 166, column: 22, }, end: Position { line: 166, column: 38, }, }, }, ), ], default: None, }, ), arguments: [ String( String_ { parts: [ Raw( PartRaw { content: "\n", span: Span { start: Position { line: 166, column: 40, }, end: Position { line: 166, column: 42, }, }, }, ), ], span: Span { start: Position { line: 166, column: 39, }, end: Position { line: 166, column: 43, }, }, }, ), PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 166, column: 44, }, end: Position { line: 166, column: 47, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 166, column: 48, }, end: Position { line: 166, column: 59, }, }, }, ), Raw( PartRaw { content: "packages", span: Span { start: Position { line: 166, column: 60, }, end: Position { line: 166, column: 68, }, }, }, ), ], default: None, }, ), ], }, ), }, ), ], target: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "pkgs", span: Span { start: Position { line: 167, column: 8, }, end: Position { line: 167, column: 12, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "writeText", span: Span { start: Position { line: 167, column: 13, }, end: Position { line: 167, column: 22, }, }, }, ), ], default: None, }, ), arguments: [ String( String_ { parts: [ Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkPathSafeName", span: Span { start: Position { line: 167, column: 26, }, end: Position { line: 167, column: 40, }, }, }, ), arguments: [ Identifier( Identifier { id: "name", span: Span { start: Position { line: 167, column: 41, }, end: Position { line: 167, column: 45, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: "-string-contexts.txt", span: Span { start: Position { line: 167, column: 24, }, end: Position { line: 167, column: 66, }, }, }, ), ], span: Span { start: Position { line: 167, column: 23, }, end: Position { line: 167, column: 67, }, }, }, ), Identifier( Identifier { id: "contents", span: Span { start: Position { line: 167, column: 68, }, end: Position { line: 167, column: 76, }, }, }, ), ], }, ), span: Span { start: Position { line: 165, column: 17, }, end: Position { line: 167, column: 76, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "chrootPaths", span: Span { start: Position { line: 169, column: 5, }, end: Position { line: 169, column: 16, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "pkgs", span: Span { start: Position { line: 169, column: 19, }, end: Position { line: 169, column: 23, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "runCommand", span: Span { start: Position { line: 169, column: 24, }, end: Position { line: 169, column: 34, }, }, }, ), ], default: None, }, ), arguments: [ String( String_ { parts: [ Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkPathSafeName", span: Span { start: Position { line: 169, column: 38, }, end: Position { line: 169, column: 52, }, }, }, ), arguments: [ Identifier( Identifier { id: "name", span: Span { start: Position { line: 169, column: 53, }, end: Position { line: 169, column: 57, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: "-chroot-paths", span: Span { start: Position { line: 169, column: 36, }, end: Position { line: 169, column: 71, }, }, }, ), ], span: Span { start: Position { line: 169, column: 35, }, end: Position { line: 169, column: 72, }, }, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "closureInfo", span: Span { start: Position { line: 170, column: 7, }, end: Position { line: 170, column: 18, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "pkgs", span: Span { start: Position { line: 170, column: 21, }, end: Position { line: 170, column: 25, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "closureInfo", span: Span { start: Position { line: 170, column: 26, }, end: Position { line: 170, column: 37, }, }, }, ), ], default: None, }, ), arguments: [ Map( Map { recursive: false, bindings: [ Inherit( BindingInherit { from: None, attributes: [ Raw( PartRaw { content: "rootPaths", span: Span { start: Position { line: 170, column: 48, }, end: Position { line: 170, column: 57, }, }, }, ), ], span: Span { start: Position { line: 170, column: 39, }, end: Position { line: 170, column: 58, }, }, }, ), ], span: Span { start: Position { line: 170, column: 38, }, end: Position { line: 170, column: 60, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "serviceName", span: Span { start: Position { line: 171, column: 7, }, end: Position { line: 171, column: 18, }, }, }, ), ], to: String( String_ { parts: [ Interpolation( PartInterpolation { expression: Identifier( Identifier { id: "name", span: Span { start: Position { line: 171, column: 24, }, end: Position { line: 171, column: 28, }, }, }, ), }, ), Raw( PartRaw { content: ".service", span: Span { start: Position { line: 171, column: 22, }, end: Position { line: 171, column: 37, }, }, }, ), ], span: Span { start: Position { line: 171, column: 21, }, end: Position { line: 171, column: 38, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "excludedPath", span: Span { start: Position { line: 172, column: 7, }, end: Position { line: 172, column: 19, }, }, }, ), ], to: Identifier( Identifier { id: "rootPaths", span: Span { start: Position { line: 172, column: 22, }, end: Position { line: 172, column: 31, }, }, }, ), }, ), ], span: Span { start: Position { line: 169, column: 73, }, end: Position { line: 173, column: 6, }, }, }, ), IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "mkdir -p \"$out/lib/systemd/system/$serviceName.d\"\nserviceFile=\"$out/lib/systemd/system/$serviceName.d/confinement.conf\"\n\necho '[Service]' > \"$serviceFile\"\n\n# /bin/sh is special here, because the option value could contain a\n# symlink and we need to properly resolve it.\n", span: Span { start: Position { line: 174, column: 1, }, end: Position { line: 181, column: 7, }, }, }, ), Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 181, column: 9, }, end: Position { line: 181, column: 12, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "optionalString", span: Span { start: Position { line: 181, column: 13, }, end: Position { line: 181, column: 27, }, }, }, ), ], default: None, }, ), arguments: [ BinaryOperation( BinaryOperation { left: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 181, column: 29, }, end: Position { line: 181, column: 32, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 181, column: 33, }, end: Position { line: 181, column: 44, }, }, }, ), Raw( PartRaw { content: "binSh", span: Span { start: Position { line: 181, column: 45, }, end: Position { line: 181, column: 50, }, }, }, ), ], default: None, }, ), operator: NotEqualTo, right: Identifier( Identifier { id: "null", span: Span { start: Position { line: 181, column: 54, }, end: Position { line: 181, column: 58, }, }, }, ), }, ), IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "binsh=", span: Span { start: Position { line: 182, column: 1, }, end: Position { line: 182, column: 15, }, }, }, ), Interpolation( PartInterpolation { expression: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 182, column: 17, }, end: Position { line: 182, column: 20, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "escapeShellArg", span: Span { start: Position { line: 182, column: 21, }, end: Position { line: 182, column: 35, }, }, }, ), ], default: None, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 182, column: 36, }, end: Position { line: 182, column: 39, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 182, column: 40, }, end: Position { line: 182, column: 51, }, }, }, ), Raw( PartRaw { content: "binSh", span: Span { start: Position { line: 182, column: 52, }, end: Position { line: 182, column: 57, }, }, }, ), ], default: None, }, ), ], }, ), }, ), Raw( PartRaw { content: "\nrealprog=\"$(readlink -e \"$binsh\")\"\necho \"BindReadOnlyPaths=$realprog:/bin/sh\" >> \"$serviceFile\"\n", span: Span { start: Position { line: 182, column: 1, }, end: Position { line: 185, column: 7, }, }, }, ), ], span: Span { start: Position { line: 181, column: 60, }, end: Position { line: 185, column: 9, }, }, }, ), ], }, ), }, ), Raw( PartRaw { content: "\n\nwhile read storePath; do\n if [ -L \"$storePath\" ]; then\n # Currently, systemd can't cope with symlinks in Bind(ReadOnly)Paths,\n # so let's just bind-mount the target to that location.\n echo \"BindReadOnlyPaths=$(readlink -e \"$storePath\"):$storePath\"\n elif [ \"$storePath\" != \"$excludedPath\" ]; then\n echo \"BindReadOnlyPaths=$storePath\"\n fi\ndone < \"$closureInfo/store-paths\" >> \"$serviceFile\"\n", span: Span { start: Position { line: 174, column: 1, }, end: Position { line: 196, column: 5, }, }, }, ), ], span: Span { start: Position { line: 173, column: 7, }, end: Position { line: 196, column: 7, }, }, }, ), ], }, ), }, ), ], target: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 197, column: 6, }, end: Position { line: 197, column: 9, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "optional", span: Span { start: Position { line: 197, column: 10, }, end: Position { line: 197, column: 18, }, }, }, ), ], default: None, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "cfg", span: Span { start: Position { line: 197, column: 19, }, end: Position { line: 197, column: 22, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "confinement", span: Span { start: Position { line: 197, column: 23, }, end: Position { line: 197, column: 34, }, }, }, ), Raw( PartRaw { content: "enable", span: Span { start: Position { line: 197, column: 35, }, end: Position { line: 197, column: 41, }, }, }, ), ], default: None, }, ), Identifier( Identifier { id: "chrootPaths", span: Span { start: Position { line: 197, column: 42, }, end: Position { line: 197, column: 53, }, }, }, ), ], }, ), span: Span { start: Position { line: 164, column: 77, }, end: Position { line: 197, column: 53, }, }, }, ), span: Span { start: Position { line: 164, column: 72, }, end: Position { line: 197, column: 53, }, }, }, ), span: Span { start: Position { line: 164, column: 66, }, end: Position { line: 197, column: 53, }, }, }, ), PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 197, column: 55, }, end: Position { line: 197, column: 61, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "systemd", span: Span { start: Position { line: 197, column: 62, }, end: Position { line: 197, column: 69, }, }, }, ), Raw( PartRaw { content: "services", span: Span { start: Position { line: 197, column: 70, }, end: Position { line: 197, column: 78, }, }, }, ), ], default: None, }, ), ], }, ), ], }, ), }, ), ], span: Span { start: Position { line: 7, column: 4, }, end: Position { line: 198, column: 2, }, }, }, ), span: Span { start: Position { line: 3, column: 1, }, end: Position { line: 198, column: 2, }, }, }, ), span: Span { start: Position { line: 1, column: 1, }, end: Position { line: 198, column: 2, }, }, }, )