{
  lib,
  config,
  inputs,
  ...
}: let
  inherit (lib) mkIf;
in {
  imports = [
    inputs.nix-mineral.nixosModules.nix-mineral
  ];

  config = mkIf config.hardened {
    nix-mineral = {
      enable = true;
      settings = {
        debug = {
          coredump = true;
          zram = false;
        };
        network = {
          icmp = {
            cast = true;
            ignore-all = false;
          };
        };
        kernel = {
          cpu-mitigations = "smt-on";
          io-uring = true;
          lockdown = true;
          only-signed-modules = true;
          pti = true;
          sysrq = "none";
        };
        system = {
          yama = "relaxed";
        };
      };
      extras = {
        kernel = {
          intelme-kmodules = false;
        };
        system = {
          secure-chrony = true;
          unprivileged-userns = false;
        };
      };
      filesystems = {
        normal = {
          # let me run shell scripts
          # please and thank you
          "/home".options.noexec = lib.mkForce false;
          "/etc".options.noexec = lib.mkForce true;
        };
      };
    };
  };
}