{ ... }:
{
  config.dendritic.features.security-systemd = {
    features = [
      "security-systemd-ask-password-console"
      "security-systemd-ask-password-wall"
      "security-systemd-auditd"
      # "security-systemd-dbus" using dbus-broker
      "security-systemd-display-manager"
      # "security-systemd-getty"
      "security-systemd-journald"
      "security-systemd-machined"
      "security-systemd-ncsd"
      "security-systemd-networkmanager"
      "security-systemd-networkmanager-dispatcher"
      "security-systemd-nix-daemon"
      "security-systemd-reload-vconsole"
      "security-systemd-rescue"
      "security-systemd-rtkit"
      "security-systemd-sshd"
      "security-systemd-udevd"
      #"security-systemd-user"
    ];

    nixosModules = [
      (
        { lib, ... }:
        {
          services = {
            # mDNS/DNS-SD
            avahi.enable = false;
            # Geoclue (location services)
            geoclue2.enable = false;
            # udisks2.enable = false;
            # accounts-daemon.enable = lib.mkDefault false;
          };
          # Only needed for WWAN/3G/4G modems, otherwise it runs `mmcli` unnecessarily
          networking.modemmanager.enable = false;
          # Bluetooth has a long history of vulnerabilities
          hardware.bluetooth.enable = false;
          # Prefer manual upgrades on a hardened system
          system.autoUpgrade.enable = false;

          systemd.coredump.enable = false;
          # ➡️ Sets the kernel's resource limit (ulimit -c 0)
          security.pam.loginLimits = [
            {
              domain = "*"; # Applies to all users/sessions
              type = "-"; # Set both soft and hard limits
              item = "core"; # The soft/hard limit item
              value = "0"; # Core dumps size is limited to 0 (effectively disabled)
            }
          ];
        }
      )
    ];
  };
}