{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.pub-solar.core;
  psCfg = config.pub-solar;
in {
  services.tor.settings = {
    UseBridges = true;
  };

  # Always go to encrypted hibernation instead of sleep
  services.logind.lidSwitch = "hibernate";

  # The options below are directly taken from or inspired by
  # https://xeiaso.net/blog/paranoid-nixos-2021-07-18

  # Limit the use of sudo to the group wheel
  security.sudo.execWheelOnly = true;

  # Remove the complete default environment of packages like
  # nano, perl and rsync
  environment.defaultPackages = lib.mkForce [];

  # fileSystems."/".options = [ "noexec" ];

  # disable coredump that could be exploited later
  # and also slow down the system when something crash
  systemd.coredump.enable = false;

  # required to run chromium
  security.chromiumSuidSandbox.enable = true;

  # create system-wide executables firefox and chromium
  # that will wrap the real binaries so everything
  # work out of the box.
  programs.firejail.enable = true;

  # enable antivirus clamav and
  # keep the signatures' database updated
  services.clamav.daemon.enable = true;
  services.clamav.updater.enable = true;
}