{ lib, pkgs, ... }:
{
  boot = {
    kernelPackages = pkgs.linuxPackages_hardened;
    initrd.systemd.services.root-reset.enable = lib.mkForce false;
  };
}