{ ... }:
{
  config.dendritic.features.security-sysctl-userspace = {
    nixosModules = [
      (
        { ... }:
        {
          boot.kernel.sysctl = {
            # 0 breaks browsers
            "kernel.unprivileged_userns_clone" = 1;

            "vm.mmap_min_addr" = 65536;
            "vm.swappiness" = 10;

            # ASLR memory protection (64-bit systems)
            "vm.mmap_rnd_bits" = 32;
            "vm.mmap_rnd_compat_bits" = 16;

            # only permit symlinks to be followed when outside of a world-writable sticky directory
            "fs.protected_symlinks" = 1;
            "fs.protected_hardlinks" = 1;
            # Prevent creating files in potentially attacker-controlled environments
            "fs.protected_fifos" = 2;
            "fs.protected_regular" = 2;

            # Randomize memory
            "kernel.randomize_va_space" = 2;
            # Exec Shield (Stack protection)
            "kernel.exec-shield" = 1;
          };
        }
      )
    ];
  };
}