diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
index 6175fb5a..d904f85e 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
@@ -120,7 +120,7 @@ in
 
       bubblewrapModule = { config, lib, pkgs, name, ... }:
         let
-          submoduleCfg = config;
+          submoduleCfg = config.sandboxing.bubblewrap;
         in
           {
             options.sandboxing.bubblewrap =
@@ -151,7 +151,7 @@ in
                   };
 
                   config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
-                    bubblewrap.dbus.filter.extraArgs =
+                    sandboxing.bubblewrap.dbus.filter.extraArgs =
                       let
                         makeDbusProxyArgs = address: metadata:
                           [ address metadata.path ] ++ metadata.extraArgs;
diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
index 746688ae..82464ffd 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
@@ -121,7 +121,7 @@ in
               # TODO: All of the Linux-exclusive flags could be handled by the
               # launcher instead. ALSO MODULARIZE THIS CRAP!
               # Ordering of the arguments here matter(?).
-              bubblewrap.extraArgs =
+              sandboxing.bubblewrap.extraArgs =
                 cfg.extraArgs
                 ++ lib.optionals stdenv.isLinux [
                   "--proc" "/proc"
@@ -138,14 +138,14 @@ in
             }
 
             (lib.mkIf submoduleCfg.enableSharedNixStore {
-              bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
+              sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
             })
 
             (lib.mkIf submoduleCfg.enableNetwork {
               # In case isolation is also enabled, we'll have this still
               # enabled at least.
-              bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
-              bubblewrap.binds.ro = [
+              sandboxing.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
+              sandboxing.bubblewrap.binds.ro = [
                 "/etc/ssh"
                 "/etc/hosts"
                 "/etc/resolv.conf"
@@ -153,7 +153,8 @@ in
             })
 
             (lib.mkIf submoduleCfg.enableIsolation {
-              bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
+              sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
+            })
             })
           ]);
         };
diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
index 2cf6abc4..59cf449a 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@@ -77,7 +77,7 @@ in
         options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
 
         config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
-          bubblewrap.extraArgs =
+          sandboxing.bubblewrap.filesystem =
             lib.lists.flatten
               (lib.mapAttrsToList
                 (dst: metadata: