{
  lib,
  config,
  ...
}:
{
  config.systemd.services = lib.mkIf (config.specialisation != { }) {
    rtkit-daemon.serviceConfig = {
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      SystemCallArchitectures = "native";
      RestrictSUIDSGID = true;
      RestrictAddressFamilies = "AF_UNIX";
      RestrictNamespaces = [
        "~pid"
        "~user"
        "~net"
        "~uts"
        "~mnt"
        "~cgroup"
        "~ipc"
      ];
      SystemCallFilter = [
        "@system-service"
        "@chroot"
        "@mount"
      ];

      LockPersonality = true;
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      PrivateMounts = true;
      ProtectClock = true;

      PrivateTmp = true;
      ProtectSystem = "strict";
      RestrictRealtime = false; # important
      PrivateDevices = true;
      ProcSubset = "pid";

      CapabilityBoundingSet = [
        "CAP_SYS_NICE"
        "CAP_DAC_READ_SEARCH"
        "CAP_SYS_CHROOT"
        "CAP_SETGID"
        "CAP_SETUID"
      ];

      ProtectKernelLogs = true;
      ProtectKernelTunables = true;
      ProtectHome = true;
      ProtectHostname = true;
      PrivateNetwork = true;
    };
  };
}