{
  lib,
  config,
  ...
}:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    nscd.serviceConfig = {
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      SystemCallArchitectures = "native";
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = [
        "AF_UNIX"
        "AF_INET"
        "AF_INET6"
      ];
      RestrictNamespaces = [
        "~pid"
        "~user"
        "~net"
        "~uts"
        "~mnt"
        "~cgroup"
        "~ipc"
      ];
      SystemCallFilter = "@system-service";

      LockPersonality = true;
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      PrivateMounts = true;
      ProtectProc = "invisible";
      ProtectClock = true;

      # file system
      PrivateTmp = true;
      ProtectSystem = "strict";
      RestrictRealtime = true;

      PrivateUsers = true;
      PrivateDevices = true;

      CapabilityBoundingSet = [
        "CAP_SETGID"
        "CAP_SETUID"
        "cap_dac_override"
      ];

      ProtectKernelLogs = true;
      ProtectKernelTunables = true;
      ProtectHostname = true;
    };
  };
}