{ lib, config, ... }:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    cups.serviceConfig = {

      CapabilityBoundingSet = [
        "CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID"
      ];
      NoNewPrivileges = true;
      RestrictNamespaces = "pid";

      ProtectControlGroups = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      MemoryDenyWriteExecute = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      LockPersonality = true;
      RestrictRealtime = true;
      ProtectProc = "invisible";

      # PrivateUsers=true;
      PrivateNetwork = true;
      RestrictAddressFamilies = "AF_UNIX";
      # ProtectSystem=true;
    };
  };
}