{
  config,
  lib,
  ...
}:
with lib; {
  options = {
    nixLockdown = {
      enable = mkOption {
        description = "Lockdown Nix";
        default = true;
        example = true;
        type = lib.types.bool;
      };
    };
  };
  config = mkIf config.nixLockdown.enable {
    nix = {
      settings.sandbox = true;
      settings.trusted-users = ["@wheel"];
      settings.allowed-users = ["root" "qbit"];
    };
  };
}