{ lib, config, ... }:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    bluetooth.serviceConfig = {
      CapabilityBoundingSet = [
        "CAP_NET_BIND_SERVICE" # sockets and tethering
      ];
      RestrictAddressFamilies = [
        "AF_UNIX" # sockets
        "AF_INET" # tethering
        "AF_INET6" # tethering
        "AF_NETLINK" # deamon callback
      ];
      NoNewPrivileges = true;
      RestrictNamespaces = [
          "~pid"
          "~user"
          "~net"
          "~uts"
          "~mnt"
          "~cgroup"
          "~ipc"
        ];
      ProtectControlGroups = true;
      MemoryDenyWriteExecute = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      LockPersonality = true;
      RestrictRealtime = true;
      ProtectProc = "invisible";
      PrivateTmp = true;
      
      PrivateUsers = false;

      # loading hardware modules
      ProtectKernelModules = false;
      ProtectKernelTunables = false;

      PrivateNetwork = false; # tethering

    };

    blueman-mechanism.serviceConfig = {
      CapabilityBoundingSet = [
        ""
      ];
      NoNewPrivileges = true;
      RestrictNamespaces = "pid";
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      MemoryDenyWriteExecute = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      LockPersonality = true;
      RestrictRealtime = true;
      ProtectProc = "invisible";
      PrivateUsers = true;
    };
  };
}