{
  lib,
  pkgs,
  ...
}:
{
  imports = [
    ./systemd
    ./ssh-as-sudo.nix
    ./apparmor
    ./opensnitch
    ./security.nix
    ./encrypt-dns.nix
  ];

  specialisation.unhardened.configuration = {
    services.opensnitch.enable = lib.mkForce false;
    security.apparmor.enable = lib.mkForce false;
  };
  #

  systemd.tpm2.enable = false;
  systemd.enableEmergencyMode = false;
  virtualisation.vswitch.enable = false;
  services.resolved.enable = false;
  security.unprivilegedUsernsClone = true;
  security.apparmor.enable = true;
  security.allowSimultaneousMultithreading = true;
  environment.defaultPackages = lib.mkForce [ ];
  environment.systemPackages = with pkgs; [ nano ];
}