{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.security.basic;
in {
  options = {
    security.basic.enable =
      lib.mkEnableOption "enable basic security";
  };
  config = lib.mkIf cfg.enable {
    security = {
      sudo.enable = false;
      # doas.enable = true;
      sudo-rs = {
        enable = true;
        execWheelOnly = true;
      };
      polkit.enable = true;
      polkit.extraConfig = ''
        polkit.addRule(function(action, subject) {
          if (
            subject.isInGroup("users")
              && (
                action.id == "org.freedesktop.login1.reboot" ||
                action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
                action.id == "org.freedesktop.login1.power-off" ||
                action.id == "org.freedesktop.login1.power-off-multiple-sessions"
              )
            )
          {
            return polkit.Result.YES;
          }
        });
      '';
      apparmor.enable = lib.mkDefault true;
    };

    environment.systemPackages = with pkgs; [
      (mkIf (config.security.doas.enable == true) doas-sudo-shim) # if doas install doas sudo shim
    ];

    services.dbus = {
      apparmor = "enabled";
      implementation = "broker";
    };
    services.ntpd-rs = {
      enable = true;
      #settings = {
      #  server = {
      #    require-nts = true;
      #  };
      #};
    };

    boot.blacklistedKernelModules = [
      # Obscure network protocols
      "ax25"
      "netrom"
      "rose"
      # Old or rare or insufficiently audited filesystems
      "adfs"
      "affs"
      "bfs"
      "befs"
      "cramfs"
      "efs"
      "erofs"
      "exofs"
      "freevxfs"
      "f2fs"
      "hfs"
      "hpfs"
      "jfs"
      "minix"
      "nilfs2"
      "ntfs"
      "omfs"
      "qnx4"
      "qnx6"
      "sysv"
      "ufs"
    ];

    nix.settings.allowed-users = lib.mkDefault ["@users"];
  };
}