{
  security = {
    polkit.enable = true;
    auditd.enable = true;

    sudo = {
      enable = true;
      execWheelOnly = true;
    };

    audit = {
      enable = true;
      rules = [ "-a exit,always -F arch=b64 -S execve" ];
    };

    doas = {
      enable = true;
      extraRules = [
        {
          keepEnv = true;
          # persist = true;
          noPass = true;

          users = [ "ebisu" ];
        }
      ];
    };
  };
}