darwin02: add sandbox workaround

hosts/darwin02/configuration.nix

@@ -8,6 +8,11 @@
     inputs.self.darwinModules.remote-builder
   ];
 
+  # can be removed when we switch back to the nixpkgs hercules-ci-agent
+  system.systemBuilderArgs.sandboxProfile = ''
+    (allow file-read* file-write* process-exec mach-lookup (subpath "${builtins.storeDir}"))
+  '';
+
   nix.settings.sandbox = "relaxed";
   nix.settings.extra-platforms = [ "x86_64-darwin" ];