Lassulus
diff --git a/‎CHANGELOG.md‎
Lines changed: 36 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 58 additions & 0 deletions b/‎README.md‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎checks/env-fallback-unset.nix‎
Lines changed: 63 additions & 0 deletions b/‎checks/env-fallback-unset.nix‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎checks/env-prefix-suffix.nix‎
Lines changed: 155 additions & 0 deletions b/‎checks/env-prefix-suffix.nix‎
Lines changed: 155 additions & 0 deletions
@@ -15,13 +15,49 @@
   were explicitly passing `flagSeparator = " "` to get separate args,
   remove it (or change to `null`).
 
+- `env` option type changed from `attrsOf str` to a richer submodule
+  (see "Added" below). Plain-string and path values keep coercing to
+  the old behaviour, so `env.FOO = "bar"` is unchanged. Passthru
+  `wrapPackage` callers now get the structured form on
+  `passthru.env`; read `passthru.env.<name>.value` instead of
+  `passthru.env.<name>` if you need the literal. The systemd
+  integration reads from `config.outputs.staticEnv` instead of
+  `config.env` and silently drops entries that can't be expressed as
+  a static literal (prefix/suffix, values, fallback, unset).
+
 ### Added
 
 - `lib/modules/command.nix`: base module with shared command spec
   (args, env, hooks, exePath) used by both wrapper and systemd outputs.
 - `lib/modules/flags.nix`: flags module with per-flag ordering via
   `{ value, order }` submodules. Default order is 1000. Reading
   `config.flags` returns clean values (order is transparent).
+- `lib/modules/env.nix`: env module with richer per-variable options
+  for safe composition, modelled on `makeWrapper`'s `--prefix` /
+  `--suffix` but usable through the NixOS module system.
+  - `env.<VAR>.value`: literal string (same as `env.<VAR> = "..."`).
+  - `env.<VAR>.prefix` / `.suffix`: parts to splice around the
+    existing value of the variable. Empty or unset existing values
+    drop out cleanly with no stray separators.
+  - `env.<VAR>.values`: explicit list of parts to join, with
+    `wlib.envRef "OTHER"` placeholders for runtime env references.
+  - `env.<VAR>.separator`: join separator (default `:`).
+  - `env.<VAR>.fallback = true`: only set the variable when it is
+    not already set in the caller's environment (uses `${VAR+set}`
+    semantics).
+  - `env.<VAR>.unset = true`: emit `unset VAR` instead of an
+    assignment. `env.VAR = null` is sugar for this.
+  - List-valued entries (`values`, `prefix`, `suffix`) merge by
+    concatenation when composed via `apply`, so multiple modules can
+    stack contributions onto the same variable without fighting.
+- `wlib.envRef :: name -> envRef`: marker used inside `values` /
+  `prefix` / `suffix` lists to reference another env variable at
+  runtime. Dropped cleanly if the referenced variable is unset.
+- `wlib.renderEnvString :: env -> str`: pure helper that renders an
+  `env` attrset into the shell snippet the wrapper uses. Exposed
+  for testing and downstream composition.
+- `outputs.staticEnv`: subset of `env` that resolves to a plain
+  literal string, used by the systemd integration.
 - `wrapper.nix` injects `"$@"` into args at order 1001, controllable
   via the ordering system.
 - `outputs.wrapper` as the canonical output path (config.wrapper is
 
@@ -91,6 +91,64 @@ wrappers.lib.wrapPackage {
 }
 ```
 
+### Environment Variables
+
+Environment variables can be set in three forms, with the richer form
+available both via `wrapPackage` and through the `env.<NAME>` option
+of wrapper modules.
+
+```nix
+{
+  env = {
+    # 1. Plain literal string (same as before):
+    FOO = "bar";
+
+    # 2. Null to explicitly unset a variable inherited from the
+    #    caller's environment:
+    NOISY_OLD_VAR = null;
+
+    # 3. Structured form with the following fields:
+    #
+    #    - value: literal string
+    #    - prefix / suffix: parts to splice around the existing value
+    #      of the variable (like `makeWrapper --prefix/--suffix`).
+    #      Empty or unset existing values drop out cleanly.
+    #    - values: explicit list of parts, joined with `separator`.
+    #      Use `wlib.envRef "OTHER"` to reference another variable
+    #      at runtime.
+    #    - separator: join separator (default ":")
+    #    - fallback: only set if the variable isn't already set
+    #    - unset: emit `unset VAR` (takes precedence)
+
+    # Prepend to PATH, keeping the caller's existing entries:
+    PATH.prefix = [ "/opt/bin" ];
+
+    # Append to XDG_DATA_DIRS:
+    XDG_DATA_DIRS.suffix = [ "/opt/share" ];
+
+    # Build LD_LIBRARY_PATH with the existing value somewhere in the
+    # middle, not just at the edges:
+    LD_LIBRARY_PATH.values = [
+      "/opt/lib"
+      (wrappers.lib.envRef "LD_LIBRARY_PATH")
+      "/other/lib"
+    ];
+
+    # Only set EDITOR if the user hasn't picked one already:
+    EDITOR = {
+      value = "vim";
+      fallback = true;
+    };
+  };
+}
+```
+
+`prefix`, `suffix` and `values` are lists, so they compose via module
+merging: multiple modules (or multiple `apply` calls) contributing to
+the same variable stack their contributions instead of fighting over
+a single string. Empty parts are filtered at runtime, so unset env
+references never leave behind dangling separators.
+
 ### Creating Custom Wrapper Modules
 
 ```nix
 
@@ -0,0 +1,63 @@
+{
+  pkgs,
+  self,
+}:
+
+# Fallback (only-set-if-unset) and explicit unset handling.
+let
+  wlib = self.lib;
+
+  showEnv = pkgs.writeShellScriptBin "show-env" ''
+    printf 'EDITOR=%s\n' "''${EDITOR-<unset>}"
+    printf 'BLOAT=%s\n' "''${BLOAT-<unset>}"
+  '';
+
+  wrapped =
+    (wlib.wrapModule (
+      { config, ... }:
+      {
+        config.package = showEnv;
+        config.env.EDITOR = {
+          value = "vim";
+          fallback = true;
+        };
+        # `null` is sugar for `unset = true`, exercise both forms.
+        config.env.BLOAT = null;
+      }
+    ).apply { pkgs = pkgs; }).wrapper;
+in
+pkgs.runCommand "env-fallback-unset-test" { } ''
+  set -eu
+  script="${wrapped}/bin/show-env"
+
+  # Fallback: EDITOR unset → set to vim.
+  editor_unset=$(unset EDITOR && "$script" | grep '^EDITOR=' | cut -d= -f2-)
+  if [ "$editor_unset" = "vim" ]; then
+    echo "PASS: fallback applied when unset"
+  else
+    echo "FAIL: fallback unset case: '$editor_unset'"
+    cat "$script"
+    exit 1
+  fi
+
+  # Fallback: EDITOR already set → preserved.
+  editor_set=$(EDITOR=nano "$script" | grep '^EDITOR=' | cut -d= -f2-)
+  if [ "$editor_set" = "nano" ]; then
+    echo "PASS: fallback preserved existing value"
+  else
+    echo "FAIL: fallback preserved case: '$editor_set'"
+    exit 1
+  fi
+
+  # Unset: BLOAT should be unset even if caller exports it.
+  bloat_result=$(BLOAT=garbage "$script" | grep '^BLOAT=' | cut -d= -f2-)
+  if [ "$bloat_result" = "<unset>" ]; then
+    echo "PASS: unset overrides caller env"
+  else
+    echo "FAIL: unset case: '$bloat_result'"
+    cat "$script"
+    exit 1
+  fi
+
+  touch $out
+''
@@ -0,0 +1,155 @@
+{
+  pkgs,
+  self,
+}:
+
+# Prefix/suffix composition for env variables.
+#
+# Goals:
+# 1. A `prefix`/`suffix` entry splices around the existing value of
+#    the variable and leaves no dangling separator when that variable
+#    is unset or empty.
+# 2. Multiple modules contributing to the same variable via `apply`
+#    compose via list concatenation, not via string overwriting.
+#
+# We use a custom variable name (WRAPPER_TEST_VAR) instead of PATH so
+# that unsetting it inside a subshell doesn't break the shell itself.
+let
+  wlib = self.lib;
+
+  showVar = pkgs.writeShellScriptBin "show-var" ''
+    printf 'WRAPPER_TEST_VAR=%s\n' "''${WRAPPER_TEST_VAR-<unset>}"
+  '';
+
+  base = wlib.wrapModule (
+    { config, ... }:
+    {
+      config.package = showVar;
+      config.env.WRAPPER_TEST_VAR.prefix = [ "/base-pre" ];
+      config.env.WRAPPER_TEST_VAR.suffix = [ "/base-post" ];
+    }
+  );
+
+  extended = (base.apply { pkgs = pkgs; }).apply {
+    env.WRAPPER_TEST_VAR.prefix = [ "/extra-pre" ];
+    env.WRAPPER_TEST_VAR.suffix = [ "/extra-post" ];
+  };
+
+  wrapped = extended.wrapper;
+in
+pkgs.runCommand "env-prefix-suffix-test" { } ''
+  set -eu
+  script="${wrapped}/bin/show-var"
+  if [ ! -f "$script" ]; then
+    echo "FAIL: wrapper script not found"
+    exit 1
+  fi
+
+  # Case 1: WRAPPER_TEST_VAR unset — prefix and suffix join with no
+  # dangling separators, no stray reference to the empty existing
+  # value.
+  unset WRAPPER_TEST_VAR
+  result_unset=$("$script" | grep '^WRAPPER_TEST_VAR=' | cut -d= -f2-)
+  case "$result_unset" in
+    *:*:*)
+      # good, at least three parts (two prefixes + two suffixes all
+      # joined together — order is list-concatenation order)
+      ;;
+    *)
+      echo "FAIL: unset case collapsed too aggressively: '$result_unset'"
+      cat "$script"
+      exit 1
+      ;;
+  esac
+  case "$result_unset" in
+    *::*)
+      echo "FAIL: unset case has double colon (stray separator): '$result_unset'"
+      cat "$script"
+      exit 1
+      ;;
+    :*|*:)
+      echo "FAIL: unset case has leading/trailing colon: '$result_unset'"
+      exit 1
+      ;;
+    *)
+      echo "PASS: unset case has no dangling separators: $result_unset"
+      ;;
+  esac
+  case "$result_unset" in
+    */base-pre*) ;;
+    *)
+      echo "FAIL: base prefix missing: '$result_unset'"
+      exit 1
+      ;;
+  esac
+  case "$result_unset" in
+    */extra-pre*) ;;
+    *)
+      echo "FAIL: extra prefix missing (apply list merge?): '$result_unset'"
+      exit 1
+      ;;
+  esac
+  case "$result_unset" in
+    */base-post*) ;;
+    *)
+      echo "FAIL: base suffix missing: '$result_unset'"
+      exit 1
+      ;;
+  esac
+  case "$result_unset" in
+    */extra-post*) ;;
+    *)
+      echo "FAIL: extra suffix missing (apply list merge?): '$result_unset'"
+      exit 1
+      ;;
+  esac
+
+  # Case 2: WRAPPER_TEST_VAR set — prefixes appear before, suffixes
+  # after, and the existing value survives in the middle.
+  export WRAPPER_TEST_VAR=/user-value
+  result_set=$("$script" | grep '^WRAPPER_TEST_VAR=' | cut -d= -f2-)
+  case "$result_set" in
+    */user-value*)
+      echo "PASS: existing value preserved: $result_set"
+      ;;
+    *)
+      echo "FAIL: existing value lost: '$result_set'"
+      exit 1
+      ;;
+  esac
+  # Prefixes must appear before the existing middle value.
+  prefix_part="''${result_set%%/user-value*}"
+  case "$prefix_part" in
+    */base-pre*) ;;
+    *)
+      echo "FAIL: base prefix not before existing value: '$result_set'"
+      exit 1
+      ;;
+  esac
+  # Suffixes must appear after.
+  suffix_part="''${result_set##*/user-value}"
+  case "$suffix_part" in
+    */base-post*) ;;
+    *)
+      echo "FAIL: base suffix not after existing value: '$result_set'"
+      exit 1
+      ;;
+  esac
+
+  # Case 3: WRAPPER_TEST_VAR set to the empty string. Empty is filtered
+  # the same as unset so the middle drops out cleanly.
+  export WRAPPER_TEST_VAR=""
+  result_empty=$("$script" | grep '^WRAPPER_TEST_VAR=' | cut -d= -f2-)
+  case "$result_empty" in
+    *::*)
+      echo "FAIL: empty existing value left a double colon: '$result_empty'"
+      exit 1
+      ;;
+    *)
+      echo "PASS: empty existing value collapsed cleanly: $result_empty"
+      ;;
+  esac
+
+  echo "SUCCESS: env prefix/suffix composition works"
+  touch $out
+''