{
  config,
  lib,
  ...
}:
with lib; let
  cfg = config.gen.hardening;
in {
  options.gen.hardening = {
    hardenBpf = mkEnableOption "place heavier restrictions on BPF";
    fullRpFilter = mkEnableOption "full reverse path filtering. (breaks dynamic routing, probably)";
    ignoreIcmpEcho = mkEnableOption "ignore icmp echos. (obviously, this makes pings unresponsive)";
    disableSack = mkEnableOption "disable tcp sack";
    disableConsole = mkEnableOption "disable console. (not recommended for test machines)";
  };

  config = {
    ### Sysctls ###
    boot.kernel.sysctl = mkMerge [
      {
        "kernel.kptr_restrict" = 1;
        "kernel.dmesg_restrict" = 1;
        "kernel.printk" = "3 3 3 3";
        "dev.tty.ldisc_autoload" = 0;
        "vm.unprivileged_userfaultfd" = 0;
        "kernel.kexec_load_disabled" = 1;
        "kernel.sysrq" = 0; # ignore sysrq key
        "kernel.perf_event_paranoid" = 3;
        "net.ipv4.tcp_rfc1337" = 1; # drop RSTs during time-wait state
      }
      (mkIf cfg.ignoreIcmpEcho {
        "net.ipv4.icmp_echo_ignore_all" = 1;
      })
      (mkIf cfg.hardenBpf {
        "kernel.unprivileged_bpf_disabled" = 1;
        "net.core.bpf_jit_harden" = 2;
      })
      (mkIf cfg.fullRpFilter {
        "net.ipv4.conf.all.rp_filter" = 1;
        "net.ipv4.conf.default.rp_filter" = 1;
      })
      (mkIf cfg.disableSack {
        "net.ipv4.tcp_sack" = 0;
        "net.ipv4.tcp_dsack" = 0;
        "net.ipv4.tcp_fack" = 0;
      })
    ];

    ### Security options ###
    security.protectKernelImage = true;

    ### Disable emergency access ###
    systemd.enableEmergencyMode = false;
    boot.initrd.systemd.emergencyAccess = false;

    ### Disable tty login ###
    console = {
      earlySetup = true;
      enable = !cfg.disableConsole;
    };
  };
}