{ lib, config, ... }:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    auditd.serviceConfig = {
      # CapabilityBoundingSet = [ "CAP_AUDIT_*" "CAP_SYSLOG" "CAP_SYS_NICE" "CAP_SYS_PACCT" "CAP_SYS_PTRACE" ];
      NoNewPrivileges = true;
      RestrictNamespaces = "pid";
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      MemoryDenyWriteExecute = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      LockPersonality = true;
      ProtectHostname=true;
      ProtectSystem=true;
      # PrivateUsers=true;
      # PrivateNetwork=true;
      RestrictRealtime=true;
      IPAddressAllow=[];
      RestrictAddressFamilies="AF_NETLINK";
    };
  };
}