{
  config,
  lib,
  ...
}:
with lib; let
  cfg = config.local.kiosk;
in {
  options.local.kiosk = {
    enable = mkEnableOption "kiosk mode";

    program = mkOption {
      type = types.str;
    };

    user = mkOption {
      type = types.str;
    };

    allowVTSwitch = mkOption {
      type = types.bool;
      default = false;
    };
  };

  config = mkIf cfg.enable {
    services = {
      cage = {
        enable = true;
        inherit (cfg) program user;

        extraArguments = [
          (
            if cfg.allowVTSwitch
            then "-sd"
            else "-d"
          )
        ];
      };

      physlock = {
        enable = true;
        disableSysRq = true;
        muteKernelMessages = true;
      };
    };
  };
}