{ lib, config, ... }:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    wpa_supplicant.serviceConfig = {
      CapabilityBoundingSet = [
        ""
        (lib.concatStringsSep " " [
          "cap_net_bind_service"
          "cap_net_admin"
          "cap_net_raw"
          "cap_net_broadcast"
        ])
      ];
      NoNewPrivileges = true;
      RestrictNamespaces = "net";
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      MemoryDenyWriteExecute = true;
      RestrictSUIDSGID = true;
      ProtectProc = "invisible";
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      LockPersonality = true;

      ProcSubset = "pid";
      ProtectSystem = true;
    };
  };
}