{ config, pkgs, ... }:
{
  # Enable TouchID for PAM auth: you could also place security/pam or other service configs here:
  security.pam.services.sudo_local.touchIdAuth = true;

  networking.applicationFirewall = {
    enable = true;
    blockAllIncoming = false; # Set to true if you want to block all except essential services
    allowSigned = true;
    allowSignedApp = false;
    enableStealthMode = true;
  };
}