{ lib, config, ... }:
{
  imports = [
    ./systemd
    ./ssh-as-sudo.nix
    ./apparmor
    ./opensnitch
    ./security.nix
  ];

  specialisation.unhardened.configuration = { };
  # services.opensnitch.enable = lib.mkForce false;

  systemd.tpm2.enable = false;
  systemd.enableEmergencyMode = false;
  virtualisation.vswitch.enable = false;
  services.resolved.enable = false;
  security.unprivilegedUsernsClone = true;
}