{ lib, config, ... }:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    "getty@".serviceConfig = {

      CapabilityBoundingSet = [
        "CAP_CHOWN"
        "CAP_FOWNER"
        "CAP_FSETID"
        "CAP_SETGID"
        "CAP_SETUID"
        "CAP_SYS_NICE"
        "CAP_SYS_RESOURCE"
        "CAP_SYS_TTY_CONFIG"
      ];

      # NoNewPrivileges = true;

      RestrictNamespaces = [
        "~pid"
        "~user"
        "~net"
        "~uts"
        "~mnt"
        "~cgroup"
        "~ipc"
      ];

      ProtectControlGroups = true;
      ProtectHome = false;
      #      ProtectClock = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      MemoryDenyWriteExecute = true;
      # RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = lib.mkForce "@system-service";
      LockPersonality = true;
      ProtectProc = "invisible";

      # PrivateUsers=true;
      PrivateNetwork = true;
      RestrictAddressFamilies = "AF_UNIX";
      # ProtectSystem=true;
    };
  };
}