{
  config,
  lib,
  ...
}:
let
  inherit (lib.modules) mkForce;
in
{
  imports = [
    ./audit.nix
    ./doas.nix
    ./pki.nix
    ./polkit.nix
    ./sudo.nix
    ./tpm.nix
  ];

  security = {
    auditd.enable = true;
    rtkit.enable = mkForce config.services.pipewire.enable;
    virtualisation.flushL1DataCache = "always";
  };
}