{ config, lib, options, pkgs, ... }:

with lib;
let
  cfg = config.modules.security;
in {
  options.modules.security = {
    enable = mkOption {
      type = types.bool;
      default = true;
    };
  };

  config = mkIf cfg.enable {
    security.rtkit.enable = true;

    boot.kernel.sysctl = {
      "kernel.sysrq" = 0;

      "net.ipv4.conf.all.accept_source_code" = 0;
      "net.ipv6.conf.all.accept_source_code" = 0;
      "net.ipv4.conf.default.send_redirects" = 0;
      "net.ipv4.conf.all.send_redirects" = 0;
      "net.ipv4.conf.default.accept_redirects" = 0;
      "net.ipv4.conf.all.accept_redirects" = 0;
      "net.ipv6.conf.default.accept_redirects" = 0;
      "net.ipv6.conf.all.accept_redirects" = 0;
      "net.ipv4.conf.default.secure_redirects" = 0;
      "net.ipv4.conf.all.secure_redirects" = 0;
      "net.ipv4.tcp_syncookies" = 1;
      "net.ipv4.tcp_rfc1337" = 1;
      "net.ipv4.tcp_fastopen" = 3;
      "net.ipv4.tcp_conjestion_control" = "bbr";
      "net.core.default_qdisc" = "cake";
    };
  };
}