{
  config,
  lib,
  ...
}:
{

  options.common.security.nix.enable = lib.mkEnableOption "enhanced nix security";

  config = lib.mkIf config.common.security.nix.enable {
    users.groups.nix = { };

    nix.settings.allowed-users = lib.mkForce [
      "@users"
      "@nix"
    ];
  };

}