---
Function {
 argument: Destructured {
  identifier: None,
  arguments: [
   DestructuredArgument {
    identifier: "config",
    default: None,
   },
   DestructuredArgument {
    identifier: "pkgs",
    default: None,
   },
   DestructuredArgument {
    identifier: "lib",
    default: None,
   },
   DestructuredArgument {
    identifier: "utils",
    default: None,
   },
  ],
  ellipsis: true,
 },
 definition: LetIn {
  bindings: [
   Binding {
    from: AttributePath {
     parts: [
      Raw {
       content: "toplevelConfig",
       position: (4, 3),
      },
     ],
    },
    to: Variable {
     identifier: "config",
     position: (4, 20),
    },
   },
   Inherit {
    from: Some(
     Variable {
      identifier: "lib",
      position: (5, 12),
     },
    ),
    attributes: [
     Raw {
      content: "types",
      position: (5, 17),
     },
    ],
   },
   Inherit {
    from: Some(
     PropertyAccess {
      expression: Variable {
       identifier: "utils",
       position: (6, 12),
      },
      attribute_path: AttributePath {
       parts: [
        Raw {
         content: "systemdUtils",
         position: (6, 18),
        },
        Raw {
         content: "lib",
         position: (6, 31),
        },
       ],
      },
      default: None,
     },
    ),
    attributes: [
     Raw {
      content: "mkPathSafeName",
      position: (6, 36),
     },
    ],
   },
  ],
  target: Map {
   bindings: [
    Binding {
     from: AttributePath {
      parts: [
       Raw {
        content: "options",
        position: (8, 3),
       },
       Raw {
        content: "systemd",
        position: (8, 11),
       },
       Raw {
        content: "services",
        position: (8, 19),
       },
      ],
     },
     to: FunctionApplication {
      function: PropertyAccess {
       expression: Variable {
        identifier: "lib",
        position: (8, 30),
       },
       attribute_path: AttributePath {
        parts: [
         Raw {
          content: "mkOption",
          position: (8, 34),
         },
        ],
       },
       default: None,
      },
      arguments: [
       Map {
        bindings: [
         Binding {
          from: AttributePath {
           parts: [
            Raw {
             content: "type",
             position: (9, 5),
            },
           ],
          },
          to: FunctionApplication {
           function: PropertyAccess {
            expression: Variable {
             identifier: "types",
             position: (9, 12),
            },
            attribute_path: AttributePath {
             parts: [
              Raw {
               content: "attrsOf",
               position: (9, 18),
              },
             ],
            },
            default: None,
           },
           arguments: [
            Parentheses {
             expression: FunctionApplication {
              function: PropertyAccess {
               expression: Variable {
                identifier: "types",
                position: (9, 27),
               },
               attribute_path: AttributePath {
                parts: [
                 Raw {
                  content: "submodule",
                  position: (9, 33),
                 },
                ],
               },
               default: None,
              },
              arguments: [
               Parentheses {
                expression: Function {
                 argument: Destructured {
                  identifier: None,
                  arguments: [
                   DestructuredArgument {
                    identifier: "name",
                    default: None,
                   },
                   DestructuredArgument {
                    identifier: "config",
                    default: None,
                   },
                  ],
                  ellipsis: true,
                 },
                 definition: Map {
                  bindings: [
                   Binding {
                    from: AttributePath {
                     parts: [
                      Raw {
                       content: "options",
                       position: (10, 7),
                      },
                      Raw {
                       content: "confinement",
                       position: (10, 15),
                      },
                      Raw {
                       content: "enable",
                       position: (10, 27),
                      },
                     ],
                    },
                    to: FunctionApplication {
                     function: PropertyAccess {
                      expression: Variable {
                       identifier: "lib",
                       position: (10, 36),
                      },
                      attribute_path: AttributePath {
                       parts: [
                        Raw {
                         content: "mkOption",
                         position: (10, 40),
                        },
                       ],
                      },
                      default: None,
                     },
                     arguments: [
                      Map {
                       bindings: [
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "type",
                            position: (11, 9),
                           },
                          ],
                         },
                         to: PropertyAccess {
                          expression: Variable {
                           identifier: "types",
                           position: (11, 16),
                          },
                          attribute_path: AttributePath {
                           parts: [
                            Raw {
                             content: "bool",
                             position: (11, 22),
                            },
                           ],
                          },
                          default: None,
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "default",
                            position: (12, 9),
                           },
                          ],
                         },
                         to: Variable {
                          identifier: "false",
                          position: (12, 19),
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "description",
                            position: (13, 9),
                           },
                          ],
                         },
                         to: String {
                          parts: [
                           Raw {
                            content: "If set, all the required runtime store paths for this service are\nbind-mounted into a <literal>tmpfs</literal>-based <citerefentry>\n  <refentrytitle>chroot</refentrytitle>\n  <manvolnum>2</manvolnum>\n</citerefentry>.\n",
                            position: (14, 1),
                           },
                          ],
                          position: (13, 23),
                         },
                        },
                       ],
                       recursive: false,
                       position: (10, 49),
                      },
                     ],
                    },
                   },
                   Binding {
                    from: AttributePath {
                     parts: [
                      Raw {
                       content: "options",
                       position: (22, 7),
                      },
                      Raw {
                       content: "confinement",
                       position: (22, 15),
                      },
                      Raw {
                       content: "fullUnit",
                       position: (22, 27),
                      },
                     ],
                    },
                    to: FunctionApplication {
                     function: PropertyAccess {
                      expression: Variable {
                       identifier: "lib",
                       position: (22, 38),
                      },
                      attribute_path: AttributePath {
                       parts: [
                        Raw {
                         content: "mkOption",
                         position: (22, 42),
                        },
                       ],
                      },
                      default: None,
                     },
                     arguments: [
                      Map {
                       bindings: [
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "type",
                            position: (23, 9),
                           },
                          ],
                         },
                         to: PropertyAccess {
                          expression: Variable {
                           identifier: "types",
                           position: (23, 16),
                          },
                          attribute_path: AttributePath {
                           parts: [
                            Raw {
                             content: "bool",
                             position: (23, 22),
                            },
                           ],
                          },
                          default: None,
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "default",
                            position: (24, 9),
                           },
                          ],
                         },
                         to: Variable {
                          identifier: "false",
                          position: (24, 19),
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "description",
                            position: (25, 9),
                           },
                          ],
                         },
                         to: String {
                          parts: [
                           Raw {
                            content: "Whether to include the full closure of the systemd unit file into the\nchroot, instead of just the dependencies for the executables.\n\n<warning><para>While it may be tempting to just enable this option to\nmake things work quickly, please be aware that this might add paths\nto the closure of the chroot that you didn't anticipate. It's better\nto use <option>confinement.packages</option> to <emphasis\nrole=\"strong\">explicitly</emphasis> add additional store paths to the\nchroot.</para></warning>\n",
                            position: (26, 1),
                           },
                          ],
                          position: (25, 23),
                         },
                        },
                       ],
                       recursive: false,
                       position: (22, 51),
                      },
                     ],
                    },
                   },
                   Binding {
                    from: AttributePath {
                     parts: [
                      Raw {
                       content: "options",
                       position: (38, 7),
                      },
                      Raw {
                       content: "confinement",
                       position: (38, 15),
                      },
                      Raw {
                       content: "packages",
                       position: (38, 27),
                      },
                     ],
                    },
                    to: FunctionApplication {
                     function: PropertyAccess {
                      expression: Variable {
                       identifier: "lib",
                       position: (38, 38),
                      },
                      attribute_path: AttributePath {
                       parts: [
                        Raw {
                         content: "mkOption",
                         position: (38, 42),
                        },
                       ],
                      },
                      default: None,
                     },
                     arguments: [
                      Map {
                       bindings: [
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "type",
                            position: (39, 9),
                           },
                          ],
                         },
                         to: FunctionApplication {
                          function: PropertyAccess {
                           expression: Variable {
                            identifier: "types",
                            position: (39, 16),
                           },
                           attribute_path: AttributePath {
                            parts: [
                             Raw {
                              content: "listOf",
                              position: (39, 22),
                             },
                            ],
                           },
                           default: None,
                          },
                          arguments: [
                           Parentheses {
                            expression: FunctionApplication {
                             function: PropertyAccess {
                              expression: Variable {
                               identifier: "types",
                               position: (39, 30),
                              },
                              attribute_path: AttributePath {
                               parts: [
                                Raw {
                                 content: "either",
                                 position: (39, 36),
                                },
                               ],
                              },
                              default: None,
                             },
                             arguments: [
                              PropertyAccess {
                               expression: Variable {
                                identifier: "types",
                                position: (39, 43),
                               },
                               attribute_path: AttributePath {
                                parts: [
                                 Raw {
                                  content: "str",
                                  position: (39, 49),
                                 },
                                ],
                               },
                               default: None,
                              },
                              PropertyAccess {
                               expression: Variable {
                                identifier: "types",
                                position: (39, 53),
                               },
                               attribute_path: AttributePath {
                                parts: [
                                 Raw {
                                  content: "package",
                                  position: (39, 59),
                                 },
                                ],
                               },
                               default: None,
                              },
                             ],
                            },
                            position: (39, 29),
                           },
                          ],
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "default",
                            position: (40, 9),
                           },
                          ],
                         },
                         to: List {
                          elements: [],
                          position: (40, 19),
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "description",
                            position: (41, 9),
                           },
                          ],
                         },
                         to: LetIn {
                          bindings: [
                           Binding {
                            from: AttributePath {
                             parts: [
                              Raw {
                               content: "mkScOption",
                               position: (42, 11),
                              },
                             ],
                            },
                            to: Function {
                             argument: Simple {
                              identifier: "optName",
                             },
                             definition: String {
                              parts: [
                               Raw {
                                content: "<option>serviceConfig.",
                                position: (42, 34),
                               },
                               Expression {
                                expression: Variable {
                                 identifier: "optName",
                                 position: (42, 58),
                                },
                               },
                               Raw {
                                content: "</option>",
                                position: (42, 66),
                               },
                              ],
                              position: (42, 33),
                             },
                             position: (42, 24),
                            },
                           },
                          ],
                          target: String {
                           parts: [
                            Raw {
                             content: "Additional packages or strings with context to add to the closure of\nthe chroot. By default, this includes all the packages from the\n",
                             position: (44, 1),
                            },
                            Expression {
                             expression: FunctionApplication {
                              function: PropertyAccess {
                               expression: Variable {
                                identifier: "lib",
                                position: (46, 13),
                               },
                               attribute_path: AttributePath {
                                parts: [
                                 Raw {
                                  content: "concatMapStringsSep",
                                  position: (46, 17),
                                 },
                                ],
                               },
                               default: None,
                              },
                              arguments: [
                               String {
                                parts: [
                                 Raw {
                                  content: ", ",
                                  position: (46, 38),
                                 },
                                ],
                                position: (46, 37),
                               },
                               Variable {
                                identifier: "mkScOption",
                                position: (46, 42),
                               },
                               List {
                                elements: [
                                 String {
                                  parts: [
                                   Raw {
                                    content: "ExecReload",
                                    position: (47, 14),
                                   },
                                  ],
                                  position: (47, 13),
                                 },
                                 String {
                                  parts: [
                                   Raw {
                                    content: "ExecStartPost",
                                    position: (47, 27),
                                   },
                                  ],
                                  position: (47, 26),
                                 },
                                 String {
                                  parts: [
                                   Raw {
                                    content: "ExecStartPre",
                                    position: (47, 43),
                                   },
                                  ],
                                  position: (47, 42),
                                 },
                                 String {
                                  parts: [
                                   Raw {
                                    content: "ExecStop",
                                    position: (47, 58),
                                   },
                                  ],
                                  position: (47, 57),
                                 },
                                 String {
                                  parts: [
                                   Raw {
                                    content: "ExecStopPost",
                                    position: (48, 14),
                                   },
                                  ],
                                  position: (48, 13),
                                 },
                                ],
                                position: (46, 53),
                               },
                              ],
                             },
                            },
                            Raw {
                             content: " and ",
                             position: (49, 13),
                            },
                            Expression {
                             expression: FunctionApplication {
                              function: Variable {
                               identifier: "mkScOption",
                               position: (49, 20),
                              },
                              arguments: [
                               String {
                                parts: [
                                 Raw {
                                  content: "ExecStart",
                                  position: (49, 32),
                                 },
                                ],
                                position: (49, 31),
                               },
                              ],
                             },
                            },
                            Raw {
                             content: " options. If you want to have all the\ndependencies of this systemd unit, you can use\n<option>confinement.fullUnit</option>.\n\n<note><para>The store paths listed in <option>path</option> are\n<emphasis role=\"strong\">not</emphasis> included in the closure as\nwell as paths from other options except those listed\nabove.</para></note>\n",
                             position: (49, 43),
                            },
                           ],
                           position: (43, 12),
                          },
                          position: (41, 23),
                         },
                        },
                       ],
                       recursive: false,
                       position: (38, 51),
                      },
                     ],
                    },
                   },
                   Binding {
                    from: AttributePath {
                     parts: [
                      Raw {
                       content: "options",
                       position: (60, 7),
                      },
                      Raw {
                       content: "confinement",
                       position: (60, 15),
                      },
                      Raw {
                       content: "binSh",
                       position: (60, 27),
                      },
                     ],
                    },
                    to: FunctionApplication {
                     function: PropertyAccess {
                      expression: Variable {
                       identifier: "lib",
                       position: (60, 35),
                      },
                      attribute_path: AttributePath {
                       parts: [
                        Raw {
                         content: "mkOption",
                         position: (60, 39),
                        },
                       ],
                      },
                      default: None,
                     },
                     arguments: [
                      Map {
                       bindings: [
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "type",
                            position: (61, 9),
                           },
                          ],
                         },
                         to: FunctionApplication {
                          function: PropertyAccess {
                           expression: Variable {
                            identifier: "types",
                            position: (61, 16),
                           },
                           attribute_path: AttributePath {
                            parts: [
                             Raw {
                              content: "nullOr",
                              position: (61, 22),
                             },
                            ],
                           },
                           default: None,
                          },
                          arguments: [
                           PropertyAccess {
                            expression: Variable {
                             identifier: "types",
                             position: (61, 29),
                            },
                            attribute_path: AttributePath {
                             parts: [
                              Raw {
                               content: "path",
                               position: (61, 35),
                              },
                             ],
                            },
                            default: None,
                           },
                          ],
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "default",
                            position: (62, 9),
                           },
                          ],
                         },
                         to: PropertyAccess {
                          expression: Variable {
                           identifier: "toplevelConfig",
                           position: (62, 19),
                          },
                          attribute_path: AttributePath {
                           parts: [
                            Raw {
                             content: "environment",
                             position: (62, 34),
                            },
                            Raw {
                             content: "binsh",
                             position: (62, 46),
                            },
                           ],
                          },
                          default: None,
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "defaultText",
                            position: (63, 9),
                           },
                          ],
                         },
                         to: FunctionApplication {
                          function: PropertyAccess {
                           expression: Variable {
                            identifier: "lib",
                            position: (63, 23),
                           },
                           attribute_path: AttributePath {
                            parts: [
                             Raw {
                              content: "literalExpression",
                              position: (63, 27),
                             },
                            ],
                           },
                           default: None,
                          },
                          arguments: [
                           String {
                            parts: [
                             Raw {
                              content: "config.environment.binsh",
                              position: (63, 46),
                             },
                            ],
                            position: (63, 45),
                           },
                          ],
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "example",
                            position: (64, 9),
                           },
                          ],
                         },
                         to: FunctionApplication {
                          function: PropertyAccess {
                           expression: Variable {
                            identifier: "lib",
                            position: (64, 19),
                           },
                           attribute_path: AttributePath {
                            parts: [
                             Raw {
                              content: "literalExpression",
                              position: (64, 23),
                             },
                            ],
                           },
                           default: None,
                          },
                          arguments: [
                           String {
                            parts: [
                             Raw {
                              content: "\"",
                              position: (64, 43),
                             },
                             Raw {
                              content: "$",
                              position: (64, 44),
                             },
                             Raw {
                              content: "{pkgs.dash}/bin/dash\"",
                              position: (64, 47),
                             },
                            ],
                            position: (64, 41),
                           },
                          ],
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "description",
                            position: (65, 9),
                           },
                          ],
                         },
                         to: String {
                          parts: [
                           Raw {
                            content: "The program to make available as <filename>/bin/sh</filename> inside\nthe chroot. If this is set to <literal>null</literal>, no\n<filename>/bin/sh</filename> is provided at all.\n\nThis is useful for some applications, which for example use the\n<citerefentry>\n  <refentrytitle>system</refentrytitle>\n  <manvolnum>3</manvolnum>\n</citerefentry> library function to execute commands.\n",
                            position: (66, 1),
                           },
                          ],
                          position: (65, 23),
                         },
                        },
                       ],
                       recursive: false,
                       position: (60, 48),
                      },
                     ],
                    },
                   },
                   Binding {
                    from: AttributePath {
                     parts: [
                      Raw {
                       content: "options",
                       position: (78, 7),
                      },
                      Raw {
                       content: "confinement",
                       position: (78, 15),
                      },
                      Raw {
                       content: "mode",
                       position: (78, 27),
                      },
                     ],
                    },
                    to: FunctionApplication {
                     function: PropertyAccess {
                      expression: Variable {
                       identifier: "lib",
                       position: (78, 34),
                      },
                      attribute_path: AttributePath {
                       parts: [
                        Raw {
                         content: "mkOption",
                         position: (78, 38),
                        },
                       ],
                      },
                      default: None,
                     },
                     arguments: [
                      Map {
                       bindings: [
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "type",
                            position: (79, 9),
                           },
                          ],
                         },
                         to: FunctionApplication {
                          function: PropertyAccess {
                           expression: Variable {
                            identifier: "types",
                            position: (79, 16),
                           },
                           attribute_path: AttributePath {
                            parts: [
                             Raw {
                              content: "enum",
                              position: (79, 22),
                             },
                            ],
                           },
                           default: None,
                          },
                          arguments: [
                           List {
                            elements: [
                             String {
                              parts: [
                               Raw {
                                content: "full-apivfs",
                                position: (79, 30),
                               },
                              ],
                              position: (79, 29),
                             },
                             String {
                              parts: [
                               Raw {
                                content: "chroot-only",
                                position: (79, 44),
                               },
                              ],
                              position: (79, 43),
                             },
                            ],
                            position: (79, 27),
                           },
                          ],
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "default",
                            position: (80, 9),
                           },
                          ],
                         },
                         to: String {
                          parts: [
                           Raw {
                            content: "full-apivfs",
                            position: (80, 20),
                           },
                          ],
                          position: (80, 19),
                         },
                        },
                        Binding {
                         from: AttributePath {
                          parts: [
                           Raw {
                            content: "description",
                            position: (81, 9),
                           },
                          ],
                         },
                         to: String {
                          parts: [
                           Raw {
                            content: "The value <literal>full-apivfs</literal> (the default) sets up\nprivate <filename class=\"directory\">/dev</filename>, <filename\nclass=\"directory\">/proc</filename>, <filename\nclass=\"directory\">/sys</filename> and <filename\nclass=\"directory\">/tmp</filename> file systems in a separate user\nname space.\n\nIf this is set to <literal>chroot-only</literal>, only the file\nsystem name space is set up along with the call to <citerefentry>\n  <refentrytitle>chroot</refentrytitle>\n  <manvolnum>2</manvolnum>\n</citerefentry>.\n\n<note><para>This doesn't cover network namespaces and is solely for\nfile system level isolation.</para></note>\n",
                            position: (82, 1),
                           },
                          ],
                          position: (81, 23),
                         },
                        },
                       ],
                       recursive: false,
                       position: (78, 47),
                      },
                     ],
                    },
                   },
                   Binding {
                    from: AttributePath {
                     parts: [
                      Raw {
                       content: "config",
                       position: (100, 7),
                      },
                     ],
                    },
                    to: LetIn {
                     bindings: [
                      Binding {
                       from: AttributePath {
                        parts: [
                         Raw {
                          content: "rootName",
                          position: (101, 9),
                         },
                        ],
                       },
                       to: String {
                        parts: [
                         Expression {
                          expression: FunctionApplication {
                           function: Variable {
                            identifier: "mkPathSafeName",
                            position: (101, 23),
                           },
                           arguments: [
                            Variable {
                             identifier: "name",
                             position: (101, 38),
                            },
                           ],
                          },
                         },
                         Raw {
                          content: "-chroot",
                          position: (101, 43),
                         },
                        ],
                        position: (101, 20),
                       },
                      },
                      Inherit {
                       from: Some(
                        PropertyAccess {
                         expression: Variable {
                          identifier: "config",
                          position: (102, 18),
                         },
                         attribute_path: AttributePath {
                          parts: [
                           Raw {
                            content: "confinement",
                            position: (102, 25),
                           },
                          ],
                         },
                         default: None,
                        },
                       ),
                       attributes: [
                        Raw {
                         content: "binSh",
                         position: (102, 38),
                        },
                        Raw {
                         content: "fullUnit",
                         position: (102, 44),
                        },
                       ],
                      },
                      Binding {
                       from: AttributePath {
                        parts: [
                         Raw {
                          content: "wantsAPIVFS",
                          position: (103, 9),
                         },
                        ],
                       },
                       to: FunctionApplication {
                        function: PropertyAccess {
                         expression: Variable {
                          identifier: "lib",
                          position: (103, 23),
                         },
                         attribute_path: AttributePath {
                          parts: [
                           Raw {
                            content: "mkDefault",
                            position: (103, 27),
                           },
                          ],
                         },
                         default: None,
                        },
                        arguments: [
                         Parentheses {
                          expression: BinaryOperation {
                           operator: EqualTo,
                           operands: [
                            PropertyAccess {
                             expression: Variable {
                              identifier: "config",
                              position: (103, 38),
                             },
                             attribute_path: AttributePath {
                              parts: [
                               Raw {
                                content: "confinement",
                                position: (103, 45),
                               },
                               Raw {
                                content: "mode",
                                position: (103, 57),
                               },
                              ],
                             },
                             default: None,
                            },
                            String {
                             parts: [
                              Raw {
                               content: "full-apivfs",
                               position: (103, 66),
                              },
                             ],
                             position: (103, 65),
                            },
                           ],
                           position: (103, 62),
                          },
                          position: (103, 37),
                         },
                        ],
                       },
                      },
                     ],
                     target: FunctionApplication {
                      function: PropertyAccess {
                       expression: Variable {
                        identifier: "lib",
                        position: (104, 10),
                       },
                       attribute_path: AttributePath {
                        parts: [
                         Raw {
                          content: "mkIf",
                          position: (104, 14),
                         },
                        ],
                       },
                       default: None,
                      },
                      arguments: [
                       PropertyAccess {
                        expression: Variable {
                         identifier: "config",
                         position: (104, 19),
                        },
                        attribute_path: AttributePath {
                         parts: [
                          Raw {
                           content: "confinement",
                           position: (104, 26),
                          },
                          Raw {
                           content: "enable",
                           position: (104, 38),
                          },
                         ],
                        },
                        default: None,
                       },
                       Map {
                        bindings: [
                         Binding {
                          from: AttributePath {
                           parts: [
                            Raw {
                             content: "serviceConfig",
                             position: (105, 9),
                            },
                           ],
                          },
                          to: Map {
                           bindings: [
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "RootDirectory",
                                position: (106, 11),
                               },
                              ],
                             },
                             to: String {
                              parts: [
                               Raw {
                                content: "/var/empty",
                                position: (106, 28),
                               },
                              ],
                              position: (106, 27),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "TemporaryFileSystem",
                                position: (107, 11),
                               },
                              ],
                             },
                             to: String {
                              parts: [
                               Raw {
                                content: "/",
                                position: (107, 34),
                               },
                              ],
                              position: (107, 33),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "PrivateMounts",
                                position: (108, 11),
                               },
                              ],
                             },
                             to: FunctionApplication {
                              function: PropertyAccess {
                               expression: Variable {
                                identifier: "lib",
                                position: (108, 27),
                               },
                               attribute_path: AttributePath {
                                parts: [
                                 Raw {
                                  content: "mkDefault",
                                  position: (108, 31),
                                 },
                                ],
                               },
                               default: None,
                              },
                              arguments: [
                               Variable {
                                identifier: "true",
                                position: (108, 41),
                               },
                              ],
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "MountAPIVFS",
                                position: (121, 11),
                               },
                              ],
                             },
                             to: Variable {
                              identifier: "wantsAPIVFS",
                              position: (121, 25),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "PrivateDevices",
                                position: (122, 11),
                               },
                              ],
                             },
                             to: Variable {
                              identifier: "wantsAPIVFS",
                              position: (122, 28),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "PrivateTmp",
                                position: (123, 11),
                               },
                              ],
                             },
                             to: Variable {
                              identifier: "wantsAPIVFS",
                              position: (123, 24),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "PrivateUsers",
                                position: (124, 11),
                               },
                              ],
                             },
                             to: Variable {
                              identifier: "wantsAPIVFS",
                              position: (124, 26),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "ProtectControlGroups",
                                position: (125, 11),
                               },
                              ],
                             },
                             to: Variable {
                              identifier: "wantsAPIVFS",
                              position: (125, 34),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "ProtectKernelModules",
                                position: (126, 11),
                               },
                              ],
                             },
                             to: Variable {
                              identifier: "wantsAPIVFS",
                              position: (126, 34),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "ProtectKernelTunables",
                                position: (127, 11),
                               },
                              ],
                             },
                             to: Variable {
                              identifier: "wantsAPIVFS",
                              position: (127, 35),
                             },
                            },
                           ],
                           recursive: false,
                           position: (105, 25),
                          },
                         },
                         Binding {
                          from: AttributePath {
                           parts: [
                            Raw {
                             content: "confinement",
                             position: (129, 9),
                            },
                            Raw {
                             content: "packages",
                             position: (129, 21),
                            },
                           ],
                          },
                          to: LetIn {
                           bindings: [
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "execOpts",
                                position: (130, 11),
                               },
                              ],
                             },
                             to: List {
                              elements: [
                               String {
                                parts: [
                                 Raw {
                                  content: "ExecReload",
                                  position: (131, 14),
                                 },
                                ],
                                position: (131, 13),
                               },
                               String {
                                parts: [
                                 Raw {
                                  content: "ExecStart",
                                  position: (131, 27),
                                 },
                                ],
                                position: (131, 26),
                               },
                               String {
                                parts: [
                                 Raw {
                                  content: "ExecStartPost",
                                  position: (131, 39),
                                 },
                                ],
                                position: (131, 38),
                               },
                               String {
                                parts: [
                                 Raw {
                                  content: "ExecStartPre",
                                  position: (131, 55),
                                 },
                                ],
                                position: (131, 54),
                               },
                               String {
                                parts: [
                                 Raw {
                                  content: "ExecStop",
                                  position: (131, 70),
                                 },
                                ],
                                position: (131, 69),
                               },
                               String {
                                parts: [
                                 Raw {
                                  content: "ExecStopPost",
                                  position: (132, 14),
                                 },
                                ],
                                position: (132, 13),
                               },
                              ],
                              position: (130, 22),
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "execPkgs",
                                position: (134, 11),
                               },
                              ],
                             },
                             to: FunctionApplication {
                              function: PropertyAccess {
                               expression: Variable {
                                identifier: "lib",
                                position: (134, 22),
                               },
                               attribute_path: AttributePath {
                                parts: [
                                 Raw {
                                  content: "concatMap",
                                  position: (134, 26),
                                 },
                                ],
                               },
                               default: None,
                              },
                              arguments: [
                               Parentheses {
                                expression: Function {
                                 argument: Simple {
                                  identifier: "opt",
                                 },
                                 definition: LetIn {
                                  bindings: [
                                   Binding {
                                    from: AttributePath {
                                     parts: [
                                      Raw {
                                       content: "isSet",
                                       position: (135, 13),
                                      },
                                     ],
                                    },
                                    to: HasProperty {
                                     expression: PropertyAccess {
                                      expression: Variable {
                                       identifier: "config",
                                       position: (135, 21),
                                      },
                                      attribute_path: AttributePath {
                                       parts: [
                                        Raw {
                                         content: "serviceConfig",
                                         position: (135, 28),
                                        },
                                       ],
                                      },
                                      default: None,
                                     },
                                     attribute_path: AttributePath {
                                      parts: [
                                       Expression {
                                        expression: Variable {
                                         identifier: "opt",
                                         position: (135, 46),
                                        },
                                       },
                                      ],
                                     },
                                     position: (135, 42),
                                    },
                                   },
                                  ],
                                  target: FunctionApplication {
                                   function: PropertyAccess {
                                    expression: Variable {
                                     identifier: "lib",
                                     position: (136, 14),
                                    },
                                    attribute_path: AttributePath {
                                     parts: [
                                      Raw {
                                       content: "flatten",
                                       position: (136, 18),
                                      },
                                     ],
                                    },
                                    default: None,
                                   },
                                   arguments: [
                                    Parentheses {
                                     expression: FunctionApplication {
                                      function: PropertyAccess {
                                       expression: Variable {
                                        identifier: "lib",
                                        position: (136, 27),
                                       },
                                       attribute_path: AttributePath {
                                        parts: [
                                         Raw {
                                          content: "optional",
                                          position: (136, 31),
                                         },
                                        ],
                                       },
                                       default: None,
                                      },
                                      arguments: [
                                       Variable {
                                        identifier: "isSet",
                                        position: (136, 40),
                                       },
                                       PropertyAccess {
                                        expression: Variable {
                                         identifier: "config",
                                         position: (136, 46),
                                        },
                                        attribute_path: AttributePath {
                                         parts: [
                                          Raw {
                                           content: "serviceConfig",
                                           position: (136, 53),
                                          },
                                          Expression {
                                           expression: Variable {
                                            identifier: "opt",
                                            position: (136, 69),
                                           },
                                          },
                                         ],
                                        },
                                        default: None,
                                       },
                                      ],
                                     },
                                     position: (136, 26),
                                    },
                                   ],
                                  },
                                  position: (134, 42),
                                 },
                                 position: (134, 37),
                                },
                                position: (134, 36),
                               },
                               Variable {
                                identifier: "execOpts",
                                position: (136, 76),
                               },
                              ],
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "unitAttrs",
                                position: (137, 11),
                               },
                              ],
                             },
                             to: PropertyAccess {
                              expression: Variable {
                               identifier: "toplevelConfig",
                               position: (137, 23),
                              },
                              attribute_path: AttributePath {
                               parts: [
                                Raw {
                                 content: "systemd",
                                 position: (137, 38),
                                },
                                Raw {
                                 content: "units",
                                 position: (137, 46),
                                },
                                Expression {
                                 expression: String {
                                  parts: [
                                   Expression {
                                    expression: Variable {
                                     identifier: "name",
                                     position: (137, 55),
                                    },
                                   },
                                   Raw {
                                    content: ".service",
                                    position: (137, 60),
                                   },
                                  ],
                                  position: (137, 52),
                                 },
                                },
                               ],
                              },
                              default: None,
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "allPkgs",
                                position: (138, 11),
                               },
                              ],
                             },
                             to: FunctionApplication {
                              function: PropertyAccess {
                               expression: Variable {
                                identifier: "lib",
                                position: (138, 21),
                               },
                               attribute_path: AttributePath {
                                parts: [
                                 Raw {
                                  content: "singleton",
                                  position: (138, 25),
                                 },
                                ],
                               },
                               default: None,
                              },
                              arguments: [
                               Parentheses {
                                expression: FunctionApplication {
                                 function: PropertyAccess {
                                  expression: Variable {
                                   identifier: "builtins",
                                   position: (138, 36),
                                  },
                                  attribute_path: AttributePath {
                                   parts: [
                                    Raw {
                                     content: "toJSON",
                                     position: (138, 45),
                                    },
                                   ],
                                  },
                                  default: None,
                                 },
                                 arguments: [
                                  Variable {
                                   identifier: "unitAttrs",
                                   position: (138, 52),
                                  },
                                 ],
                                },
                                position: (138, 35),
                               },
                              ],
                             },
                            },
                            Binding {
                             from: AttributePath {
                              parts: [
                               Raw {
                                content: "unitPkgs",
                                position: (139, 11),
                               },
                              ],
                             },
                             to: IfThenElse {
                              predicate: Variable {
                               identifier: "fullUnit",
                               position: (139, 25),
                              },
                              then: Variable {
                               identifier: "allPkgs",
                               position: (139, 39),
                              },
                              else_: Variable {
                               identifier: "execPkgs",
                               position: (139, 52),
                              },
                              position: (139, 22),
                             },
                            },
                           ],
                           target: BinaryOperation {
                            operator: Concatenation,
                            operands: [
                             Variable {
                              identifier: "unitPkgs",
                              position: (140, 12),
                             },
                             FunctionApplication {
                              function: PropertyAccess {
                               expression: Variable {
                                identifier: "lib",
                                position: (140, 24),
                               },
                               attribute_path: AttributePath {
                                parts: [
                                 Raw {
                                  content: "optional",
                                  position: (140, 28),
                                 },
                                ],
                               },
                               default: None,
                              },
                              arguments: [
                               Parentheses {
                                expression: BinaryOperation {
                                 operator: NotEqualTo,
                                 operands: [
                                  Variable {
                                   identifier: "binSh",
                                   position: (140, 38),
                                  },
                                  Variable {
                                   identifier: "null",
                                   position: (140, 47),
                                  },
                                 ],
                                 position: (140, 44),
                                },
                                position: (140, 37),
                               },
                               Variable {
                                identifier: "binSh",
                                position: (140, 53),
                               },
                              ],
                             },
                            ],
                            position: (140, 21),
                           },
                           position: (129, 32),
                          },
                         },
                        ],
                        recursive: false,
                        position: (104, 45),
                       },
                      ],
                     },
                     position: (100, 16),
                    },
                   },
                  ],
                  recursive: false,
                  position: (9, 67),
                 },
                 position: (9, 44),
                },
                position: (9, 43),
               },
              ],
             },
             position: (9, 26),
            },
           ],
          },
         },
        ],
        recursive: false,
        position: (8, 43),
       },
      ],
     },
    },
    Binding {
     from: AttributePath {
      parts: [
       Raw {
        content: "config",
        position: (145, 3),
       },
       Raw {
        content: "assertions",
        position: (145, 10),
       },
      ],
     },
     to: FunctionApplication {
      function: PropertyAccess {
       expression: Variable {
        identifier: "lib",
        position: (145, 23),
       },
       attribute_path: AttributePath {
        parts: [
         Raw {
          content: "concatLists",
          position: (145, 27),
         },
        ],
       },
       default: None,
      },
      arguments: [
       Parentheses {
        expression: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (145, 40),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "mapAttrsToList",
             position: (145, 44),
            },
           ],
          },
          default: None,
         },
         arguments: [
          Parentheses {
           expression: Function {
            argument: Simple {
             identifier: "name",
            },
            definition: Function {
             argument: Simple {
              identifier: "cfg",
             },
             definition: LetIn {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "whatOpt",
                   position: (146, 5),
                  },
                 ],
                },
                to: Function {
                 argument: Simple {
                  identifier: "optName",
                 },
                 definition: BinaryOperation {
                  operator: Addition,
                  operands: [
                   BinaryOperation {
                    operator: Addition,
                    operands: [
                     String {
                      parts: [
                       Raw {
                        content: "The 'serviceConfig' option '",
                        position: (146, 25),
                       },
                       Expression {
                        expression: Variable {
                         identifier: "optName",
                         position: (146, 55),
                        },
                       },
                       Raw {
                        content: "' for",
                        position: (146, 63),
                       },
                      ],
                      position: (146, 24),
                     },
                     String {
                      parts: [
                       Raw {
                        content: " service '",
                        position: (147, 24),
                       },
                       Expression {
                        expression: Variable {
                         identifier: "name",
                         position: (147, 36),
                        },
                       },
                       Raw {
                        content: "' is enabled in conjunction with",
                        position: (147, 41),
                       },
                      ],
                      position: (147, 23),
                     },
                    ],
                    position: (147, 21),
                   },
                   String {
                    parts: [
                     Raw {
                      content: " 'confinement.enable'",
                      position: (148, 24),
                     },
                    ],
                    position: (148, 23),
                   },
                  ],
                  position: (148, 21),
                 },
                 position: (146, 15),
                },
               },
              ],
              target: FunctionApplication {
               function: PropertyAccess {
                expression: Variable {
                 identifier: "lib",
                 position: (149, 6),
                },
                attribute_path: AttributePath {
                 parts: [
                  Raw {
                   content: "optionals",
                   position: (149, 10),
                  },
                 ],
                },
                default: None,
               },
               arguments: [
                PropertyAccess {
                 expression: Variable {
                  identifier: "cfg",
                  position: (149, 20),
                 },
                 attribute_path: AttributePath {
                  parts: [
                   Raw {
                    content: "confinement",
                    position: (149, 24),
                   },
                   Raw {
                    content: "enable",
                    position: (149, 36),
                   },
                  ],
                 },
                 default: None,
                },
                List {
                 elements: [
                  Map {
                   bindings: [
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "assertion",
                        position: (150, 7),
                       },
                      ],
                     },
                     to: UnaryOperation {
                      operator: Not,
                      operand: PropertyAccess {
                       expression: Variable {
                        identifier: "cfg",
                        position: (150, 20),
                       },
                       attribute_path: AttributePath {
                        parts: [
                         Raw {
                          content: "serviceConfig",
                          position: (150, 24),
                         },
                         Raw {
                          content: "RootDirectoryStartOnly",
                          position: (150, 38),
                         },
                        ],
                       },
                       default: Some(
                        Variable {
                         identifier: "false",
                         position: (150, 64),
                        },
                       ),
                      },
                      position: (150, 19),
                     },
                    },
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "message",
                        position: (151, 7),
                       },
                      ],
                     },
                     to: BinaryOperation {
                      operator: Addition,
                      operands: [
                       BinaryOperation {
                        operator: Addition,
                        operands: [
                         BinaryOperation {
                          operator: Addition,
                          operands: [
                           String {
                            parts: [
                             Expression {
                              expression: FunctionApplication {
                               function: Variable {
                                identifier: "whatOpt",
                                position: (151, 20),
                               },
                               arguments: [
                                String {
                                 parts: [
                                  Raw {
                                   content: "RootDirectoryStartOnly",
                                   position: (151, 29),
                                  },
                                 ],
                                 position: (151, 28),
                                },
                               ],
                              },
                             },
                             Raw {
                              content: ", but right now systemd",
                              position: (151, 53),
                             },
                            ],
                            position: (151, 17),
                           },
                           String {
                            parts: [
                             Raw {
                              content: " doesn't support restricting bind-mounts to 'ExecStart'.",
                              position: (152, 18),
                             },
                            ],
                            position: (152, 17),
                           },
                          ],
                          position: (152, 15),
                         },
                         String {
                          parts: [
                           Raw {
                            content: " Please either define a separate service or find a way to run",
                            position: (153, 18),
                           },
                          ],
                          position: (153, 17),
                         },
                        ],
                        position: (153, 15),
                       },
                       String {
                        parts: [
                         Raw {
                          content: " commands other than ExecStart within the chroot.",
                          position: (154, 18),
                         },
                        ],
                        position: (154, 17),
                       },
                      ],
                      position: (154, 15),
                     },
                    },
                   ],
                   recursive: false,
                   position: (150, 5),
                  },
                  Map {
                   bindings: [
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "assertion",
                        position: (156, 7),
                       },
                      ],
                     },
                     to: UnaryOperation {
                      operator: Not,
                      operand: PropertyAccess {
                       expression: Variable {
                        identifier: "cfg",
                        position: (156, 20),
                       },
                       attribute_path: AttributePath {
                        parts: [
                         Raw {
                          content: "serviceConfig",
                          position: (156, 24),
                         },
                         Raw {
                          content: "DynamicUser",
                          position: (156, 38),
                         },
                        ],
                       },
                       default: Some(
                        Variable {
                         identifier: "false",
                         position: (156, 53),
                        },
                       ),
                      },
                      position: (156, 19),
                     },
                    },
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "message",
                        position: (157, 7),
                       },
                      ],
                     },
                     to: BinaryOperation {
                      operator: Addition,
                      operands: [
                       BinaryOperation {
                        operator: Addition,
                        operands: [
                         String {
                          parts: [
                           Expression {
                            expression: FunctionApplication {
                             function: Variable {
                              identifier: "whatOpt",
                              position: (157, 20),
                             },
                             arguments: [
                              String {
                               parts: [
                                Raw {
                                 content: "DynamicUser",
                                 position: (157, 29),
                                },
                               ],
                               position: (157, 28),
                              },
                             ],
                            },
                           },
                           Raw {
                            content: ". Please create a dedicated user via",
                            position: (157, 42),
                           },
                          ],
                          position: (157, 17),
                         },
                         String {
                          parts: [
                           Raw {
                            content: " the 'users.users' option instead as this combination is",
                            position: (158, 18),
                           },
                          ],
                          position: (158, 17),
                         },
                        ],
                        position: (158, 15),
                       },
                       String {
                        parts: [
                         Raw {
                          content: " currently not supported.",
                          position: (159, 18),
                         },
                        ],
                        position: (159, 17),
                       },
                      ],
                      position: (159, 15),
                     },
                    },
                   ],
                   recursive: false,
                   position: (156, 5),
                  },
                  Map {
                   bindings: [
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "assertion",
                        position: (161, 7),
                       },
                      ],
                     },
                     to: BinaryOperation {
                      operator: Implication,
                      operands: [
                       HasProperty {
                        expression: PropertyAccess {
                         expression: Variable {
                          identifier: "cfg",
                          position: (161, 19),
                         },
                         attribute_path: AttributePath {
                          parts: [
                           Raw {
                            content: "serviceConfig",
                            position: (161, 23),
                           },
                          ],
                         },
                         default: None,
                        },
                        attribute_path: AttributePath {
                         parts: [
                          Raw {
                           content: "ProtectSystem",
                           position: (161, 39),
                          },
                         ],
                        },
                        position: (161, 37),
                       },
                       BinaryOperation {
                        operator: EqualTo,
                        operands: [
                         PropertyAccess {
                          expression: Variable {
                           identifier: "cfg",
                           position: (161, 56),
                          },
                          attribute_path: AttributePath {
                           parts: [
                            Raw {
                             content: "serviceConfig",
                             position: (161, 60),
                            },
                            Raw {
                             content: "ProtectSystem",
                             position: (161, 74),
                            },
                           ],
                          },
                          default: None,
                         },
                         Variable {
                          identifier: "false",
                          position: (161, 91),
                         },
                        ],
                        position: (161, 88),
                       },
                      ],
                      position: (161, 53),
                     },
                    },
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "message",
                        position: (162, 7),
                       },
                      ],
                     },
                     to: BinaryOperation {
                      operator: Addition,
                      operands: [
                       BinaryOperation {
                        operator: Addition,
                        operands: [
                         String {
                          parts: [
                           Expression {
                            expression: FunctionApplication {
                             function: Variable {
                              identifier: "whatOpt",
                              position: (162, 20),
                             },
                             arguments: [
                              String {
                               parts: [
                                Raw {
                                 content: "ProtectSystem",
                                 position: (162, 29),
                                },
                               ],
                               position: (162, 28),
                              },
                             ],
                            },
                           },
                           Raw {
                            content: ". ProtectSystem is not compatible",
                            position: (162, 44),
                           },
                          ],
                          position: (162, 17),
                         },
                         String {
                          parts: [
                           Raw {
                            content: " with service confinement as it fails to remount /usr within",
                            position: (163, 18),
                           },
                          ],
                          position: (163, 17),
                         },
                        ],
                        position: (163, 15),
                       },
                       String {
                        parts: [
                         Raw {
                          content: " our chroot. Please disable the option.",
                          position: (164, 18),
                         },
                        ],
                        position: (164, 17),
                       },
                      ],
                      position: (164, 15),
                     },
                    },
                   ],
                   recursive: false,
                   position: (161, 5),
                  },
                 ],
                 position: (149, 43),
                },
               ],
              },
              position: (145, 71),
             },
             position: (145, 66),
            },
            position: (145, 60),
           },
           position: (145, 59),
          },
          PropertyAccess {
           expression: Variable {
            identifier: "config",
            position: (166, 6),
           },
           attribute_path: AttributePath {
            parts: [
             Raw {
              content: "systemd",
              position: (166, 13),
             },
             Raw {
              content: "services",
              position: (166, 21),
             },
            ],
           },
           default: None,
          },
         ],
        },
        position: (145, 39),
       },
      ],
     },
    },
    Binding {
     from: AttributePath {
      parts: [
       Raw {
        content: "config",
        position: (168, 3),
       },
       Raw {
        content: "systemd",
        position: (168, 10),
       },
       Raw {
        content: "packages",
        position: (168, 18),
       },
      ],
     },
     to: FunctionApplication {
      function: PropertyAccess {
       expression: Variable {
        identifier: "lib",
        position: (168, 29),
       },
       attribute_path: AttributePath {
        parts: [
         Raw {
          content: "concatLists",
          position: (168, 33),
         },
        ],
       },
       default: None,
      },
      arguments: [
       Parentheses {
        expression: FunctionApplication {
         function: PropertyAccess {
          expression: Variable {
           identifier: "lib",
           position: (168, 46),
          },
          attribute_path: AttributePath {
           parts: [
            Raw {
             content: "mapAttrsToList",
             position: (168, 50),
            },
           ],
          },
          default: None,
         },
         arguments: [
          Parentheses {
           expression: Function {
            argument: Simple {
             identifier: "name",
            },
            definition: Function {
             argument: Simple {
              identifier: "cfg",
             },
             definition: LetIn {
              bindings: [
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "rootPaths",
                   position: (169, 5),
                  },
                 ],
                },
                to: LetIn {
                 bindings: [
                  Binding {
                   from: AttributePath {
                    parts: [
                     Raw {
                      content: "contents",
                      position: (170, 7),
                     },
                    ],
                   },
                   to: FunctionApplication {
                    function: PropertyAccess {
                     expression: Variable {
                      identifier: "lib",
                      position: (170, 18),
                     },
                     attribute_path: AttributePath {
                      parts: [
                       Raw {
                        content: "concatStringsSep",
                        position: (170, 22),
                       },
                      ],
                     },
                     default: None,
                    },
                    arguments: [
                     String {
                      parts: [
                       Raw {
                        content: "\n",
                        position: (170, 40),
                       },
                      ],
                      position: (170, 39),
                     },
                     PropertyAccess {
                      expression: Variable {
                       identifier: "cfg",
                       position: (170, 44),
                      },
                      attribute_path: AttributePath {
                       parts: [
                        Raw {
                         content: "confinement",
                         position: (170, 48),
                        },
                        Raw {
                         content: "packages",
                         position: (170, 60),
                        },
                       ],
                      },
                      default: None,
                     },
                    ],
                   },
                  },
                 ],
                 target: FunctionApplication {
                  function: PropertyAccess {
                   expression: Variable {
                    identifier: "pkgs",
                    position: (171, 8),
                   },
                   attribute_path: AttributePath {
                    parts: [
                     Raw {
                      content: "writeText",
                      position: (171, 13),
                     },
                    ],
                   },
                   default: None,
                  },
                  arguments: [
                   String {
                    parts: [
                     Expression {
                      expression: FunctionApplication {
                       function: Variable {
                        identifier: "mkPathSafeName",
                        position: (171, 26),
                       },
                       arguments: [
                        Variable {
                         identifier: "name",
                         position: (171, 41),
                        },
                       ],
                      },
                     },
                     Raw {
                      content: "-string-contexts.txt",
                      position: (171, 46),
                     },
                    ],
                    position: (171, 23),
                   },
                   Variable {
                    identifier: "contents",
                    position: (171, 68),
                   },
                  ],
                 },
                 position: (169, 17),
                },
               },
               Binding {
                from: AttributePath {
                 parts: [
                  Raw {
                   content: "chrootPaths",
                   position: (173, 5),
                  },
                 ],
                },
                to: FunctionApplication {
                 function: PropertyAccess {
                  expression: Variable {
                   identifier: "pkgs",
                   position: (173, 19),
                  },
                  attribute_path: AttributePath {
                   parts: [
                    Raw {
                     content: "runCommand",
                     position: (173, 24),
                    },
                   ],
                  },
                  default: None,
                 },
                 arguments: [
                  String {
                   parts: [
                    Expression {
                     expression: FunctionApplication {
                      function: Variable {
                       identifier: "mkPathSafeName",
                       position: (173, 38),
                      },
                      arguments: [
                       Variable {
                        identifier: "name",
                        position: (173, 53),
                       },
                      ],
                     },
                    },
                    Raw {
                     content: "-chroot-paths",
                     position: (173, 58),
                    },
                   ],
                   position: (173, 35),
                  },
                  Map {
                   bindings: [
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "closureInfo",
                        position: (174, 7),
                       },
                      ],
                     },
                     to: FunctionApplication {
                      function: PropertyAccess {
                       expression: Variable {
                        identifier: "pkgs",
                        position: (174, 21),
                       },
                       attribute_path: AttributePath {
                        parts: [
                         Raw {
                          content: "closureInfo",
                          position: (174, 26),
                         },
                        ],
                       },
                       default: None,
                      },
                      arguments: [
                       Map {
                        bindings: [
                         Inherit {
                          from: None,
                          attributes: [
                           Raw {
                            content: "rootPaths",
                            position: (174, 48),
                           },
                          ],
                         },
                        ],
                        recursive: false,
                        position: (174, 38),
                       },
                      ],
                     },
                    },
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "serviceName",
                        position: (175, 7),
                       },
                      ],
                     },
                     to: String {
                      parts: [
                       Expression {
                        expression: Variable {
                         identifier: "name",
                         position: (175, 24),
                        },
                       },
                       Raw {
                        content: ".service",
                        position: (175, 29),
                       },
                      ],
                      position: (175, 21),
                     },
                    },
                    Binding {
                     from: AttributePath {
                      parts: [
                       Raw {
                        content: "excludedPath",
                        position: (176, 7),
                       },
                      ],
                     },
                     to: Variable {
                      identifier: "rootPaths",
                      position: (176, 22),
                     },
                    },
                   ],
                   recursive: false,
                   position: (173, 73),
                  },
                  String {
                   parts: [
                    Raw {
                     content: "mkdir -p \"$out/lib/systemd/system/$serviceName.d\"\nserviceFile=\"$out/lib/systemd/system/$serviceName.d/confinement.conf\"\n\necho '[Service]' > \"$serviceFile\"\n\n# /bin/sh is special here, because the option value could contain a\n# symlink and we need to properly resolve it.\n",
                     position: (178, 1),
                    },
                    Expression {
                     expression: FunctionApplication {
                      function: PropertyAccess {
                       expression: Variable {
                        identifier: "lib",
                        position: (185, 9),
                       },
                       attribute_path: AttributePath {
                        parts: [
                         Raw {
                          content: "optionalString",
                          position: (185, 13),
                         },
                        ],
                       },
                       default: None,
                      },
                      arguments: [
                       Parentheses {
                        expression: BinaryOperation {
                         operator: NotEqualTo,
                         operands: [
                          PropertyAccess {
                           expression: Variable {
                            identifier: "cfg",
                            position: (185, 29),
                           },
                           attribute_path: AttributePath {
                            parts: [
                             Raw {
                              content: "confinement",
                              position: (185, 33),
                             },
                             Raw {
                              content: "binSh",
                              position: (185, 45),
                             },
                            ],
                           },
                           default: None,
                          },
                          Variable {
                           identifier: "null",
                           position: (185, 54),
                          },
                         ],
                         position: (185, 51),
                        },
                        position: (185, 28),
                       },
                       String {
                        parts: [
                         Raw {
                          content: "binsh=",
                          position: (186, 1),
                         },
                         Expression {
                          expression: FunctionApplication {
                           function: PropertyAccess {
                            expression: Variable {
                             identifier: "lib",
                             position: (186, 17),
                            },
                            attribute_path: AttributePath {
                             parts: [
                              Raw {
                               content: "escapeShellArg",
                               position: (186, 21),
                              },
                             ],
                            },
                            default: None,
                           },
                           arguments: [
                            PropertyAccess {
                             expression: Variable {
                              identifier: "cfg",
                              position: (186, 36),
                             },
                             attribute_path: AttributePath {
                              parts: [
                               Raw {
                                content: "confinement",
                                position: (186, 40),
                               },
                               Raw {
                                content: "binSh",
                                position: (186, 52),
                               },
                              ],
                             },
                             default: None,
                            },
                           ],
                          },
                         },
                         Raw {
                          content: "\nrealprog=\"$(readlink -e \"$binsh\")\"\necho \"BindReadOnlyPaths=$realprog:/bin/sh\" >> \"$serviceFile\"\n",
                          position: (186, 58),
                         },
                        ],
                        position: (185, 60),
                       },
                      ],
                     },
                    },
                    Raw {
                     content: "\n\nwhile read storePath; do\n  if [ -L \"$storePath\" ]; then\n    # Currently, systemd can't cope with symlinks in Bind(ReadOnly)Paths,\n    # so let's just bind-mount the target to that location.\n    echo \"BindReadOnlyPaths=$(readlink -e \"$storePath\"):$storePath\"\n  elif [ \"$storePath\" != \"$excludedPath\" ]; then\n    echo \"BindReadOnlyPaths=$storePath\"\n  fi\ndone < \"$closureInfo/store-paths\" >> \"$serviceFile\"\n",
                     position: (189, 10),
                    },
                   ],
                   position: (177, 7),
                  },
                 ],
                },
               },
              ],
              target: FunctionApplication {
               function: PropertyAccess {
                expression: Variable {
                 identifier: "lib",
                 position: (201, 6),
                },
                attribute_path: AttributePath {
                 parts: [
                  Raw {
                   content: "optional",
                   position: (201, 10),
                  },
                 ],
                },
                default: None,
               },
               arguments: [
                PropertyAccess {
                 expression: Variable {
                  identifier: "cfg",
                  position: (201, 19),
                 },
                 attribute_path: AttributePath {
                  parts: [
                   Raw {
                    content: "confinement",
                    position: (201, 23),
                   },
                   Raw {
                    content: "enable",
                    position: (201, 35),
                   },
                  ],
                 },
                 default: None,
                },
                Variable {
                 identifier: "chrootPaths",
                 position: (201, 42),
                },
               ],
              },
              position: (168, 77),
             },
             position: (168, 72),
            },
            position: (168, 66),
           },
           position: (168, 65),
          },
          PropertyAccess {
           expression: Variable {
            identifier: "config",
            position: (201, 55),
           },
           attribute_path: AttributePath {
            parts: [
             Raw {
              content: "systemd",
              position: (201, 62),
             },
             Raw {
              content: "services",
              position: (201, 70),
             },
            ],
           },
           default: None,
          },
         ],
        },
        position: (168, 45),
       },
      ],
     },
    },
   ],
   recursive: false,
   position: (7, 4),
  },
  position: (3, 1),
 },
 position: (1, 1),
}