{ writeTextFile, nsjail }:

let
  inner = writeTextFile {
    name = "ocamlStudentModuleInner";
    executable = true;
    text = ''
      INTERFACE_FILE=$1
      STUDENT_FILE=$2
      DRIVER_FILE=$3

      ocamlc -o student.cmi $INTERFACE_FILE
      ocamlc -o student.cmo $STUDENT_FILE
      ocaml student.cmo $DRIVER_FILE
    '';
  };
in
writeTextFile {
  name = "ocamlStudentModule";
  executable = true;
  text = ''
    JAIL=$(mktemp -d)
    ${nsjail}/bin/nsjail \
      -Mo \ # launch a single process using clone/execve
      --chroot $JAIL
      ${inner}
  '';
}