{
  config,
  lib,
  pkgs,
  ...
}:

{
  # memory allocator
  # BREAKS REDIS-IMMICH
  # environment.memoryAllocator.provider = "graphene-hardened";

  # disable coredumps
  systemd.coredump.enable = false;

  # The hardened kernel defaults kernel.unprivileged_userns_clone to 0, which
  # prevents the Nix sandbox from mapping UIDs/GIDs. Without this, any derivation
  # that calls `id` in its build phase (e.g. logrotate checkPhase) fails when not
  # served from the binary cache. See https://github.com/NixOS/nixpkgs/issues/287194
  security.unprivilegedUsernsClone = true;

  services = {
    dbus.implementation = "broker";
    /*
      logrotate.enable = true;
      journald = {
        storage = "volatile"; # Store logs in memory
        upload.enable = false; # Disable remote log upload (the default)
        extraConfig = ''
          SystemMaxUse=500M
          SystemMaxFileSize=50M
        '';
      };
    */
  };

  services.fail2ban = {
    enable = true;
    # Use iptables actions for compatibility
    banaction = "iptables-multiport";
    banaction-allports = "iptables-allports";
  };
}