{ lib, config, ... }:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    acpid.serviceConfig = {
      CapabilityBoundingSet = [
        ""
      ];
      RestrictNamespaces = [
        "~pid"
        "~user"
        "~net"
        "~uts"
        "~mnt"
        "~cgroup"
        "~ipc"
      ];

      ProtectControlGroups = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      MemoryDenyWriteExecute = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = "@system-service";
      LockPersonality = true;
      ProtectSystem = "strict";
      PrivateUsers = true;
      RestrictRealtime = true;
      PrivateTmp = true;
      ProtectHome = true;
      ProtectProc = "invisible";
      ProtectKernelLogs = true;
      IPAddressAllow = [ ];

      PrivateDevices = false; # acpi needs device access
      PrivateNetwork = false; # required for netlink to work properly
      NoNewPrivileges = false; # acpi hooks might want to execute things at higher/different access
      RestrictAddressFamilies = [
        "AF_NETLINK"
        "AF_UNIX"
      ];
    };
  };
}