{ config, lib, pkgs, ... }:

let
  cfg = config.ptw.security.apparmor;
in {
  options.ptw.security.apparmor = {
    enable = lib.mkEnableOption "Enable AppArmor";
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      apparmor-bin-utils
    ];

    services.dbus.apparmor = "enabled";
    security.apparmor = {
      enable = true;
      enableCache = true;
      includes = {
        profiles = "${pkgs.apparmor-profiles}/etc/apparmor.d";
      };
    };
  };
}