{
  lib,
  pkgs,
  config,
  ...
}:
{
  imports = [
    ./systemd
    ./ssh-as-sudo.nix
    ./apparmor
    ./opensnitch
    ./security.nix
    ./encrypt-dns.nix
    ./filesystem-deny-mount.nix
  ];

  specialisation.unhardened.configuration = {
    services.opensnitch.enable = lib.mkForce false;
    security.apparmor.enable = lib.mkForce false;
  };

  systemd.oomd.enable = false;
  
  boot.kernel.sysctl = {
    "net.ipv6.conf.all.accept_ra" = 0;
    "net.ipv6.conf.default.accept_ra" = 0;
    "net.ipv4.conf.all.send_redirects"=0;
    "net.ipv4.conf.default.accept_source_route"=0;
    "net.ipv4.conf.all.accept_redirects"=0;
    "net.ipv4.conf.default.accept_redirects"=0;
    "net.ipv6.conf.all.accept_redirects"=0;
    "net.ipv6.conf.default.accept_redirects"=0;
    "net.ipv4.conf.all.secure_redirects"=0;
    "net.ipv4.conf.default.secure_redirects"=0;
    "net.ipv4.conf.all.log_martians"=1;
    "net.ipv4.conf.default.log_martians"=1;
    "net.ipv4.icmp_echo_ignore_broadcasts"=1;
    "net.ipv4.conf.all.rp_filter"=1;
    "net.ipv4.conf.default.rp_filter"=1;

    "fs.suid_dumpable" = 0;
  };

  environment.etc."motd" = { text = config.users.motd; mode = "644"; };
  environment.etc."limits.conf".text = "* hard core 0";
  environment.etc."hosts.allow" = { text = "ALL: LOCAL"; mode = "644"; };
  environment.etc."hosts.deny" = { text = ""; mode = "644"; };
  environment.etc."issue" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };
  environment.etc."issue.net" = { text = "Authorized uses only. All activity may be monitored and reported."; mode = "644"; };

#  systemd.tmpfiles.rules = [
#    "L+ /etc/passwd- 0644 root root - /etc/passwd"
#    "L+ /etc/shadow- 0644 root root - /etc/shadow"
#    "L+ /etc/group- 0644 root root - /etc/group"
#    "L+ /etc/gshadow- 0644 root root - /etc/gshadow"
#  ];

  users.motd = "welcome to grimms paranoid box";

  security.loginDefs.settings = {
    # PASS_MAX_DAYS = 365;
    PASS_MIN_DAYS = 7;
    PASS_WARN_AGE = 14;
    ENCRYPT_METHOD = "SHA512";
  };

  systemd.tpm2.enable = false;
  systemd.enableEmergencyMode = false;
  virtualisation.vswitch.enable = false;
  services.resolved.enable = false;
  security.unprivilegedUsernsClone = true;
  security.apparmor.enable = true;
  security.allowSimultaneousMultithreading = true;
  environment.defaultPackages = lib.mkForce [ ];
  environment.systemPackages = with pkgs; [ nano clamav linux-bench ];
}