{ inputs, config, pkgs, lib, ... } @ args:

let
  headlessProfile = import "${inputs.nixpkgs-unstable}/nixos/modules/profiles/headless.nix" args;

  cfg = config.local.system;
in
{
  imports = [
    "${inputs.nixpkgs-unstable}/nixos/modules/profiles/hardened.nix"
  ];

  options.local.system = with lib; {
    kernel = mkOption {
      type = types.enum [ "hardened" "stable" "latest" ];
      default = "latest";
    };
    headless = mkEnableOption "headless profile";
  };

  config = lib.mkMerge [
    {
      profiles.hardened = lib.mkDefault false;
      boot.tmp.cleanOnBoot = true;
    }

    (lib.mkIf cfg.headless (
      headlessProfile // {
        zramSwap.enable = true;
      }
    ))

    (lib.mkIf (cfg.kernel == "hardened") (
      {
        profiles.hardened = true;
        boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
        # Fix for GLIBC errors due to 'scudo' from hardened profile.
        # https://github.com/NixOS/nix/issues/6563
        environment.memoryAllocator.provider = "libc";
      }
    ))
    (lib.mkIf (cfg.headless && cfg.kernel == "hardened") {
      # Disabled by hardened profile, big performance hit.
      security.allowSimultaneousMultithreading = true;
    })

    (lib.mkIf (cfg.kernel == "stable") {
      boot.kernelPackages = pkgs.unstable.linuxPackages_6_13;
    })

    (lib.mkIf (cfg.kernel == "latest") {
      boot.kernelPackages = pkgs.unstable.linuxPackages_latest;
    })

  ];
}