{ config, pkgs, ... }:

{
  security.sudo.execWheelOnly = true;

  nix.settings.allowed-users = [ "@wheel" ];

  security.apparmor.enable = true;

  services.fail2ban.enable = true;

  boot.kernel.sysctl = {
    "kernel.dmesg_restrict" = 1;
    "net.ipv4.conf.all.log_martians" = 1;
    "net.ipv4.conf.default.log_martians" = 1;
    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
    "net.ipv4.conf.all.accept_redirects" = 0;
    "net.ipv4.conf.default.accept_redirects" = 0;
    "net.ipv6.conf.all.accept_redirects" = 0;
    "net.ipv6.conf.default.accept_redirects" = 0;
    "net.ipv4.conf.all.send_redirects" = 0;
    "net.ipv4.conf.default.send_redirects" = 0;
  };
}