{
  # config,
  lib,
  # pkgs,
  ...
}: let
  systemd-services-hardened = fetchGit {
    url = "https://github.com/wallago/nix-system-services-hardened.git";
    ref = "main";
    rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3";
  };
  fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a;
in {
  imports = fromHardened [
    "accounts-daemon"
    "getty"
    # "nix-daemon" # TODO: breaks cgroups, ...
    "nscd"
    "rescue"
    "sshd"
    "systemd-machined"
    "systemd-rfkill"
    "systemd-udevd"
  ];
  systemd.services = {
    nix-daemon.serviceConfig.RestrictNamespaces = lib.mkForce [];
    sshd.serviceConfig.ProtectHome = lib.mkForce "no";
  };
}