{
  config,
  pkgs,
  lib ? pkgs.lib,
  ...
}:

with lib;

let

  cfg = config.services.fixMallocPkgs;

in

{
  ###### interface
  options = {

    services.fixMallocPkgs = rec {

      enable = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Enable overlay to disable custom memory allocators to affected packages (based on grapheneos-light)
        '';
      };

      # the simple-go-server does not actually support specifying a port 
      # so this actually does nothing, but it could/should be picked up and 
      # inserted into the systemd config for the service
      # port = mkOption {
      #   type = types.int;
      #   default = 8080;
      #   description = ''
      #     The port to run the service on 
      #   '';
      # };
    };

  };

  ###### implementation

  config = mkIf cfg.enable {

    nixpkgs.overlays = [

		(self: super: {
		firefox = pkgs.symlinkJoin {
			      name = "firefox";
			      paths = [ super.firefox];
			      buildInputs = [ pkgs.makeWrapper pkgs.bubblewrap ];
			      postBuild = ''
			        bwrap --dev-bind / / --ro-bind /dev/null $(readlink /etc/static/ld-nix.so.preload) $out/bin/firefox
			      '';
			    };
	    })

		(final: prev: {
		tor-browser =  prev.buildFHSEnv  {
			    runScript = "${pkgs.bubblewrap}/bin/bwrap --dev-bind / / --ro-bind /dev/null $(readlink /etc/static/ld-nix.so.preload) $out/bin/tor-browser";
			  };
		})
    ];
  };

}