{ ... }:
{
  config.dendritic.features.security-sysctl-kernel = {
    nixosModules = [
      (
        { ... }:
        {
          boot.kernel.sysctl = {
            "fs.suid_dumpable" = 0;
            # prevent pointer leaks
            # Note: certian container runtimes or browser sandboxes might rely on the following
            # restrict loading TTY line disciplines to the CAP_SYS_MODULE
            "dev.tty.ldisk_autoload" = 0;
            # prevent exploit of use-after-free flaws
            "vm.unprivileged_userfaultfd" = 0;
            # kexec is used to boot another kernel during runtime and can be abused
            "kernel.kexec_load_disabled" = 1;
            # Kernel self-protection
            # SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
            # 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
            "kernel.sysrq" = 4;
            # restrict all usage of performance events to the CAP_PERFMON capability
            "kernel.perf_event_paranoid" = 3;
          };
        }
      )
    ];
  };
}