{ config, pkgs, lib, ... }: {
  containers.snowflake = {
    autoStart = true;
    ephemeral = true;
    config = {
      systemd.services.snowflake = {
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          IPAccounting = "yes";
          ExecStart = "${pkgs.snowflake}/bin/proxy";
          DynamicUser = "yes";
          # Read-only filesystem
          ProtectSystem = "strict";
          PrivateDevices = "yes";
          ProtectKernelTunables = "yes";
          ProtectControlGroups = "yes";
          ProtectHome = "yes";
          # Deny access to as many things as possible
          NoNewPrivileges = "yes";
          PrivateUsers = "yes";
          LockPersonality = "yes";
          MemoryDenyWriteExecute = "yes";
          ProtectClock = "yes";
          ProtectHostname = "yes";
          ProtectKernelLogs = "yes";
          ProtectKernelModules = "yes";
          RestrictNamespaces = "yes";
          RestrictRealtime = "yes";
          RestrictSUIDSGID = "yes";
          SystemCallArchitectures = "native";
          SystemCallFilter =
            "~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @setuid @swap @privileged @resources";
          CapabilityBoundingSet = "";
          ProtectProc = "invisible";
          ProcSubset = "pid";
        };
      };
    };
  };
}