{
  lib,
  pkgs,
  ...
}:
{
  imports = [
    ./hardened.nix
    ./vfio.nix
    # ./apparmor.nix
  ];

  custom.kernel.hardened.enable = true;
  custom.kernel.vfio.enable = false;
  # security.apparmor.enable = false;

  specialisation.unhardened.configuration = {
    custom.kernel.hardened.enable = lib.mkForce false;
    # security.apparmor.enable = lib.mkForce false;
  };

  specialisation.vfio.configuration = {
    custom.kernel.vfio.enable = lib.mkForce true;
  };

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.enableRedistributableFirmware = true;
  hardware.cpu.amd.updateMicrocode = true;

  security.rtkit.enable = true;
  security.sudo.enable = false;
  security.doas = {
    enable = true;

    extraRules = [
      {
        users = [ "user" ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    kernelPackages = pkgs.linuxPackages_zen;
    kernelParams = [
      "amd_iommu=on"
    ];
    initrd.availableKernelModules = [
      "nvme"
      "xhci_pci"
      "ahci"
      "usbhid"
      "sd_mod"
      "uas"
      "usbcore"
      "usb_storage"
      "vfat"
      "nls_cp437"
      "nls_iso8859_1"
      "virtio_pci"
      "virtio_blk"
      "virtio_net"
      "virtio_ring"
    ];
    initrd.kernelModules = [
      "amdgpu"
      "nvidia"
      "nvidia_modeset"
      "nvidia_drm"
    ];
  };
}