{
  lib,
  ...
}:
{
  options.dendritic.roles = lib.mkOption {
    type = lib.types.attrsOf (
      lib.types.submodule (
        { ... }:
        {
          options = {
            roles = lib.mkOption {
              type = lib.types.listOf lib.types.str;
              default = [ ];
            };

            features = lib.mkOption {
              type = lib.types.listOf lib.types.str;
              default = [ ];
            };
          };
        }
      )
    );
    default = { };
  };

  config.dendritic.roles = {
    core-user.features = [
      "shell"
      "nh"
      "system-nix"
    ];

    security-baseline.features = [
      "security-kernel-hardened"
      "system-services"
      "security-systemd"
      "security-sysctl"
      "security-firewall"
      "security-auditd"
      "security-malware-clamav"
      "ntp-chrony"
      "security-usbguard"
    ];

    desktop-wayland.features = [
      "browser-brave"
      "wm-niri"
      "terminal-ghostty"
      "audio"
      "bluetooth"
      "gnupg-agent"
      "wayland"
      "proton"
      "earlyoom"
      "dolphin"
      "pass"
      "zk"
      "gui-programs"
    ];

    laptop.features = [
      "hardware-laptop"
      "security-systemd-bluetooth"
    ];

    server.roles = [
      "security-baseline"
      "security-sysctl-strict"
    ];

    server.features = [
      "security-ssh-hardening"
      "security-firewall-nftables"
      "ops-server-base"
    ];

    developer.features = [
      "jujutsu"
      "developer-cli"
      "editor-neovim"
      "containers-podman"
      "ops-k8s"
      "virtualization-libvirt"
      "security-sudo-rs"
      "security-ssh-client"
      "dev-devenv"
    ];

    secrets-managed.features = [
      "secrets-system-sops"
      "secrets-home-sops"
    ];

    theme-stylix.features = [
      "theme-system-stylix"
      "theme-home-stylix"
    ];

    workstation.roles = [
      "core-user"
      "security-baseline"
      "desktop-wayland"
      "developer"
      "secrets-managed"
      "theme-stylix"
    ];
  };
}