{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (lib) mkIf mapAttrs assertMsg pathIsRegularFile mkForce;

  cfg = config.security.apparmor_d;
  apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
  in
{
  options.security.apparmor_d = with lib; {
    enable = mkEnableOption "enable apparmor.d support";

    profiles = mkOption {
      type = types.attrsOf (types.enum [ "disable" "complain" "enforce" ]);
      default = {};
      description = "set of apparmor profiles to include from apparmor.d";
    };
  };

  config = mkIf (cfg.enable) {
    security.apparmor.packages = [ apparmor-d ];
    security.apparmor.policies = mapAttrs (name: state: {
      inherit state;
      profile = let
        file = "${apparmor-d}/etc/apparmor.d/${name}";
      in
        assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
       ''include "${file}"'';
    }) cfg.profiles;

    specialisation.no-apparmor.configuration = {
      security.apparmor.enable = mkForce false;
    };
    
    environment.systemPackages = [ apparmor-d ];
  };
}