{ config, lib, options, pkgs, ... }:

with lib;
let
  cfg = config.modules.security;
in {
  options.modules.security = {
    useDoas = mkEnableOption "use doas instead of sudo";
  };

  config = mkIf cfg.enable {
	boot = {
		tmp.useTmpfs = lib.mkDefault true;
		tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
		
    	kernel.sysctl = {
      	  "kernel.sysrq" = 0;

          "net.ipv4.conf.all.accept_source_code" = 0;
          "net.ipv6.conf.all.accept_source_code" = 0;
          "net.ipv4.conf.default.send_redirects" = 0;
          "net.ipv4.conf.all.send_redirects" = 0;
          "net.ipv4.conf.default.accept_redirects" = 0;
          "net.ipv4.conf.all.accept_redirects" = 0;
          "net.ipv6.conf.default.accept_redirects" = 0;
          "net.ipv6.conf.all.accept_redirects" = 0;
          "net.ipv4.conf.default.secure_redirects" = 0;
          "net.ipv4.conf.all.secure_redirects" = 0;
          "net.ipv4.tcp_syncookies" = 1;
          "net.ipv4.tcp_rfc1337" = 1;
          "net.ipv4.tcp_fastopen" = 3;
          "net.ipv4.tcp_conjestion_control" = "bbr";
          "net.core.default_qdisc" = "cake";
        };
      };

      security = {
      	protectKernelImage = true;
      	rtkit.enable = true;
      };
    } // (mkIf cfg.useDoas {
    	security.sudo.enable = false;
    	security.doas.enable = true;
    	environment.systemPackages = with pkgs; [ doas-sudo-shim ];
    });
}