{
  lib,
  inputs,
  self,
  ...
}:
let
  inherit (lib) mkOption;
in
{

  systemdHardening = {
    IPAddressDeny = "any";
    NoNewPrivileges = true;
    ProtectSystem = "full";
    PrivateDevices = true;
    ProtectKernelTunables = true;
    ProtectHostname = true;
    ProtectKernelLogs = true;
    ProtectKernelModules = true;
    MemoryDenyWriteExecute = true;
    PrivateTmp = true;
    LockPersonality = true;
    RestrictRealtime = true;
    DevicePolicy = "closed";
    ProtectClock = true;
    PrivateNetwork = true;
    ProtectControlGroups = true;
    SystemCallArchitectures = "native";
  };

  # Verify the existence of a binary inside of a derivation.
  # Returns the path to the binary or throws.
  checkPath =
    pkg: bin:
    let
      abs = lib.getExe' pkg bin;
    in
    if builtins.pathExists abs then abs else throw "${abs} does not exist.";

  mkSystem =
    {
      withSystem,
      hostname,
      extraModules ? [ ],
      system,
    }:
    withSystem system (
      { inputs', self', ... }:
      lib.nixosSystem {
        inherit system;
        modules = [
          "${self}/hosts/${hostname}"
          "${self}/options"
          "${self}/modules"
          { networking.hostName = hostname; }
        ] ++ extraModules;
        specialArgs = {
          inherit inputs inputs';
          inherit self self';
          pubkeys = import ../../options/keys.nix { inherit lib; };
          username = "ny";
        };
      }
    );

  mkPortOption =
    port: name:
    lib.mkOption {
      type = lib.types.port;
      default = port;
      description = "The port ${name} should listen on";
    };

  mkOption' =
    type: default: description:
    mkOption { inherit type default description; };

  validatePath =
    s: if (builtins.pathExists s) then (builtins.baseNameOf s) else throw "${s} does not exist";

  mkVHost = name: port: ssl: {
    inherit name;
    value = {
      enableACME = ssl;
      forceSSL = ssl;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString port}";
        extraConfig = ''
          proxy_ssl_server_name on;
          proxy_pass_header Authorization;
        '';
      };
    };
  };

  slugify =
    let
      inherit (lib.strings) sanitizeDerivationName;
    in
    str: (sanitizeDerivationName (lib.toLower str));

  disko = {
    mkBoot = size: {
      size = size;
      type = "EF00";
      content = {
        type = "filesystem";
        format = "vfat";
        mountpoint = "/boot";
        mountOptions = [ "umask=0077" ];
      };
    };
    mkSwap = size: {
      inherit size;
      content = {
        type = "swap";
        randomEncryption = true;
        priority = 100;
      };
    };
    mkRoot = size: format: {
      inherit size;
      content = {
        inherit format;
        type = "filesystem";
        mountpoint = "/";
        mountOptions = [ "defaults" ];
      };
    };
  };
}