{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (lib) mkIf mapAttrs;

  cfg = config.security.apparmor_d;
  apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
  in
{
  options.security.apparmor_d = with lib; {
    enable = mkEnableOption "enable apparmor.d support";

    profiles = mkOption {
      type = types.attrsOf (types.enum [ "disable" "complain" "enforce" ]);
      default = {};
      description = "set of apparmor profiles to include from apparmor.d";
    };
  };

  config = mkIf (cfg.enable) {
    security.apparmor.packages = [ apparmor-d ];
    security.apparmor.policies = mapAttrs (name: value: {
      enable = value != "disable";
      enforce = value == "enforce";
      profile = ''include "${apparmor-d}/etc/apparmor.d/${name}"'';
    }) cfg.profiles;
    
    environment.systemPackages = [ apparmor-d ];
  };
}