{
  lib,
  config,
  ...
}:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    dbus-broker.serviceConfig = {
      DevicePolicy = "closed";
      KeyringMode = "private";
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateTmp = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = "read-only";
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "full";
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";

      RestrictAddressFamilies = [
        #     "AF_INET"
        #     "AF_INET6"
        "AF_UNIX"
      ];
      RestrictNamespaces = [
        "~pid"
        "~user"
        "~net"
        "~uts"
        "~mnt"
        "~cgroup"
        "~ipc"
      ];
      SystemCallFilter = [
        "@system-service"
        "@privileged"
      ];

      PrivateMounts = true;

      #   CapabilityBoundingSet = [
      #     "CAP_NET_BIND_SERVICE"
      #    "CAP_SETGID"
      #     "CAP_SETUID"
      #     "CAP_SYS_CHROOT"
      #     "cap_dac_override"
      #   ];

      #   PrivateUsers = false; # important
      #   PrivateNetwork = false; # important
    };
  };
}