{ lib, config, ... }:
let
  inherit (lib) mkDefault types mkIf;
  eq = a: b: a == b;
  noPred =
    preds: x:
    if preds == [ ] then
      true
    else if (lib.head preds) x then
      false
    else
      noPred (lib.tail preds) x;
in
{
  options.systemd.services = lib.mkOption {
    type =
      let
        osConfig = config;
      in
      types.attrsOf (
        lib.types.submodule (
          { config, name, ... }:
          {
            config.serviceConfig =
              let
                shouldMakeIntrusive = (
                  noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
                );
              in
              mkIf (osConfig.specialisation != { }) {
                ProtectHome = mkDefault true;
                # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
                PrivateTmp = mkIf shouldMakeIntrusive (mkDefault true);
                # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
                ProtectClock = mkDefault true;
                # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
                # SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
                ProtectHostname = mkDefault true;
                # LockPersonality = mkDefault true;
              };
          }
        )
      );
  };

  config = mkIf (config.specialisation != { }) {

    systemd.services = {
      "user-runtime-dir@".serviceConfig.ProtectHome = false;
      "user@".serviceConfig.ProtectHome = false;
      systemd-homed.serviceConfig.ProtectHome = false;
      systemd-homed-activate.serviceConfig.ProtectHome = false;
      sshd.serviceConfig.ProtectHome = false;
      display-manager.serviceConfig.ProtectHome = "read-only";
      dbus-broker.serviceConfig.ProtectHome = "read-only";

      zfs-mount.serviceConfig.PrivateTmp = false;
      kmod-static-nodes.serviceConfig.PrivateTmp = false;
      mount-pstore.serviceConfig.PrivateTmp = false;
      # todo: tpm things

      # "user@".serviceConfig.PrivateTmp = false; # make sddm happy
      # "user-runtime-dir@".serviceConfig.PrivateTmp = false; # make sddm happy

      polkit.serviceConfig.NoNewPrivileges = false;
      "getty@".serviceConfig.NoNewPrivileges = false;
      "user@".serviceConfig.NoNewPrivileges = false;

      # todo: dbus?

      NetworkManager.serviceConfig = {
        CapabilityBoundingSet = [
          ""
          (lib.concatStringsSep " " [
            "cap_net_bind_service"
            "cap_net_admin"
            "cap_net_raw"
          ])
        ];
        UMask = "0022";
        NoNewPrivileges = true;
        RestrictNamespaces = "net uts";
        ProtectControlGroups = true;
        # PrivateDevices
        ProtectKernelModules = true;
        MemoryDenyWriteExecute = true;
        RestrictSUIDSGID = true;
      };

      auditd.serviceConfig.ProtectKernelLogs = false;
      audit.serviceConfig.ProtectKernelLogs = false;

      "getty@".serviceConfig.SystemCallFilter = "";
      # "user@".serviceConfig.SystemCallFilter = "";
      # "user-runtime-dir@".serviceConfig.SystemCallFilter = "";
      display-manager.serviceConfig.SystemCallFilter = "";
      # nix-daemon.serviceConfig.SystemCallFilter = "";
      sshd.serviceConfig.SystemCallFilter = "";
      rtkit-daemon.serviceConfig.SystemCallFilter = "";

      systemd-timesync.serviceConfig = {
        ProtectClock = false;
        SystemCallFilter = "@system-service @clock";
      };

      pipewire.serviceConfig = {
        LockPersonality = false;
      };

      save-hwclock.serviceConfig = {
        ProtectClock = false;
        SystemCallFilter = "@system-service @clock";
      };
    };
  };
}