{...}: {            
              # who needs security lmao
              systemd.services.systemd-journald = {
                serviceConfig = {
                  DeviceAllow = "";
                  IPAddressDeny = "";
                  LockPersonality = "no";
                  MemoryDenyWriteExecute = "no";
                  NoNewPrivileges = "no";
                  ProtectClock = "no";
                  RestrictAddressFamilies = "";
                  RestrictNamespaces = "";
                  RestrictRealtime = "no";
                  RestrictSUIDSGID = "no";
                };
              };
              systemd.services.systemd-udevd = {
                serviceConfig = {
                  DeviceAllow = "";
                  IPAddressDeny = "";
                  LockPersonality = "no";
                  MemoryDenyWriteExecute = "no";
                  NoNewPrivileges = "no";
                  ProtectClock = "no";
                  RestrictAddressFamilies = "";
                  RestrictNamespaces = "";
                  RestrictRealtime = "no";
                  RestrictSUIDSGID = "no";
                };
              };
              systemd.services.systemd-oomd = {
                serviceConfig = {
                  DeviceAllow = "";
                  IPAddressDeny = "";
                  LockPersonality = "no";
                  MemoryDenyWriteExecute = "no";
                  NoNewPrivileges = "no";
                  ProtectClock = "no";
                  RestrictAddressFamilies = "";
                  RestrictNamespaces = "";
                  RestrictRealtime = "no";
                  RestrictSUIDSGID = "no";
                };
              };
              systemd.services.systemd-timesyncd = {
                serviceConfig = {
                  DeviceAllow = "";
                  IPAddressDeny = "";
                  LockPersonality = "no";
                  MemoryDenyWriteExecute = "no";
                  NoNewPrivileges = "no";
                  ProtectClock = "no";
                  RestrictAddressFamilies = "";
                  RestrictNamespaces = "";
                  RestrictRealtime = "no";
                  RestrictSUIDSGID = "no";
                };
              };
              systemd.services.systemd-logind = {
                serviceConfig = {
                  DeviceAllow = "";
                  IPAddressDeny = "";
                  LockPersonality = "no";
                  MemoryDenyWriteExecute = "no";
                  NoNewPrivileges = "no";
                  ProtectClock = "no";
                  RestrictAddressFamilies = "";
                  RestrictNamespaces = "";
                  RestrictRealtime = "no";
                  RestrictSUIDSGID = "no";
                };
              };
              systemd.services.dhcpcd = {
                serviceConfig = {
                  DeviceAllow = lib.mkForce "";
                  IPAddressDeny = lib.mkForce "";
                  LockPersonality = lib.mkForce false;
                  MemoryDenyWriteExecute = lib.mkForce "no";
                  NoNewPrivileges = lib.mkForce "no";
                  ProtectClock = lib.mkForce "no";
                  RestrictAddressFamilies = lib.mkForce "";
                  RestrictNamespaces = lib.mkForce "";
                  RestrictRealtime = lib.mkForce "no";
                  RestrictSUIDSGID = lib.mkForce "no";
                };
              };
              systemd.services.nginx = {
                serviceConfig = {
                  DeviceAllow = lib.mkForce "";
                  IPAddressDeny = lib.mkForce "";
                  LockPersonality = lib.mkForce false;
                  MemoryDenyWriteExecute = lib.mkForce "no";
                  NoNewPrivileges = lib.mkForce "no";
                  ProtectClock = lib.mkForce "no";
                  RestrictAddressFamilies = lib.mkForce "";
                  RestrictNamespaces = lib.mkForce "";
                  RestrictRealtime = lib.mkForce "no";
                  RestrictSUIDSGID = lib.mkForce "no";
                };
              };
}