---
Function {
 argument: None,
 arguments: FunctionArguments {
  arguments: [
   FunctionArgument {
    identifier: "lib",
    default: None,
   },
   FunctionArgument {
    identifier: "config",
    default: None,
   },
  ],
  ellipsis: true,
 },
 definition: With {
  expression: Variable {
   identifier: "lib",
   position: (3, 6),
  },
  target: Map {
   bindings: [
    KeyValue(
     AttributePath {
      attributes: [
       Raw {
        content: "meta",
        position: (6, 3),
       },
      ],
     },
     Map {
      bindings: [
       KeyValue(
        AttributePath {
         attributes: [
          Raw {
           content: "maintainers",
           position: (7, 5),
          },
         ],
        },
        List {
         elements: [
          PropertyAccess {
           expression: Variable {
            identifier: "maintainers",
            position: (7, 21),
           },
           attribute_path: AttributePath {
            attributes: [
             Raw {
              content: "joachifm",
              position: (7, 33),
             },
            ],
           },
           default: None,
          },
         ],
         position: (7, 19),
        },
       ),
      ],
      recursive: false,
      position: (6, 10),
     },
    ),
    KeyValue(
     AttributePath {
      attributes: [
       Raw {
        content: "imports",
        position: (10, 3),
       },
      ],
     },
     List {
      elements: [
       FunctionApplication {
        function: PropertyAccess {
         expression: Variable {
          identifier: "lib",
          position: (11, 6),
         },
         attribute_path: AttributePath {
          attributes: [
           Raw {
            content: "mkRenamedOptionModule",
            position: (11, 10),
           },
          ],
         },
         default: None,
        },
        arguments: [
         List {
          elements: [
           String {
            parts: [
             Raw {
              content: "security",
              position: (11, 35),
             },
            ],
           },
           String {
            parts: [
             Raw {
              content: "virtualization",
              position: (11, 46),
             },
            ],
           },
           String {
            parts: [
             Raw {
              content: "flushL1DataCache",
              position: (11, 63),
             },
            ],
           },
          ],
          position: (11, 32),
         },
         List {
          elements: [
           String {
            parts: [
             Raw {
              content: "security",
              position: (11, 86),
             },
            ],
           },
           String {
            parts: [
             Raw {
              content: "virtualisation",
              position: (11, 97),
             },
            ],
           },
           String {
            parts: [
             Raw {
              content: "flushL1DataCache",
              position: (11, 114),
             },
            ],
           },
          ],
          position: (11, 83),
         },
        ],
       },
      ],
      position: (10, 13),
     },
    ),
    KeyValue(
     AttributePath {
      attributes: [
       Raw {
        content: "options",
        position: (14, 3),
       },
      ],
     },
     Map {
      bindings: [
       KeyValue(
        AttributePath {
         attributes: [
          Raw {
           content: "security",
           position: (15, 5),
          },
          Raw {
           content: "allowUserNamespaces",
           position: (15, 14),
          },
         ],
        },
        FunctionApplication {
         function: Variable {
          identifier: "mkOption",
          position: (15, 36),
         },
         arguments: [
          Map {
           bindings: [
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "type",
                position: (16, 7),
               },
              ],
             },
             PropertyAccess {
              expression: Variable {
               identifier: "types",
               position: (16, 14),
              },
              attribute_path: AttributePath {
               attributes: [
                Raw {
                 content: "bool",
                 position: (16, 20),
                },
               ],
              },
              default: None,
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "default",
                position: (17, 7),
               },
              ],
             },
             Variable {
              identifier: "true",
              position: (17, 17),
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "description",
                position: (18, 7),
               },
              ],
             },
             String {
              parts: [
               Raw {
                content: "Whether to allow creation of user namespaces.\n\nThe motivation for disabling user namespaces is the potential\npresence of code paths where the kernel's permission checking\nlogic fails to account for namespacing, instead permitting a\nnamespaced process to act outside the namespace with the same\nprivileges as it would have inside it.  This is particularly\ndamaging in the common case of running as root within the namespace.\n\nWhen user namespace creation is disallowed, attempting to create a\nuser namespace fails with \"no space left on device\" (ENOSPC).\nroot may re-enable user namespace creation at runtime.\n",
                position: (19, 1),
               },
              ],
             },
            ),
           ],
           recursive: false,
           position: (15, 45),
          },
         ],
        },
       ),
       KeyValue(
        AttributePath {
         attributes: [
          Raw {
           content: "security",
           position: (34, 5),
          },
          Raw {
           content: "unprivilegedUsernsClone",
           position: (34, 14),
          },
         ],
        },
        FunctionApplication {
         function: Variable {
          identifier: "mkOption",
          position: (34, 40),
         },
         arguments: [
          Map {
           bindings: [
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "type",
                position: (35, 7),
               },
              ],
             },
             PropertyAccess {
              expression: Variable {
               identifier: "types",
               position: (35, 14),
              },
              attribute_path: AttributePath {
               attributes: [
                Raw {
                 content: "bool",
                 position: (35, 20),
                },
               ],
              },
              default: None,
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "default",
                position: (36, 7),
               },
              ],
             },
             Variable {
              identifier: "false",
              position: (36, 17),
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "description",
                position: (37, 7),
               },
              ],
             },
             String {
              parts: [
               Raw {
                content: "When disabled, unprivileged users will not be able to create new namespaces.\nBy default unprivileged user namespaces are disabled.\nThis option only works in a hardened profile.\n",
                position: (38, 1),
               },
              ],
             },
            ),
           ],
           recursive: false,
           position: (34, 49),
          },
         ],
        },
       ),
       KeyValue(
        AttributePath {
         attributes: [
          Raw {
           content: "security",
           position: (44, 5),
          },
          Raw {
           content: "protectKernelImage",
           position: (44, 14),
          },
         ],
        },
        FunctionApplication {
         function: Variable {
          identifier: "mkOption",
          position: (44, 35),
         },
         arguments: [
          Map {
           bindings: [
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "type",
                position: (45, 7),
               },
              ],
             },
             PropertyAccess {
              expression: Variable {
               identifier: "types",
               position: (45, 14),
              },
              attribute_path: AttributePath {
               attributes: [
                Raw {
                 content: "bool",
                 position: (45, 20),
                },
               ],
              },
              default: None,
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "default",
                position: (46, 7),
               },
              ],
             },
             Variable {
              identifier: "false",
              position: (46, 17),
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "description",
                position: (47, 7),
               },
              ],
             },
             String {
              parts: [
               Raw {
                content: "Whether to prevent replacing the running kernel image.\n",
                position: (48, 1),
               },
              ],
             },
            ),
           ],
           recursive: false,
           position: (44, 44),
          },
         ],
        },
       ),
       KeyValue(
        AttributePath {
         attributes: [
          Raw {
           content: "security",
           position: (52, 5),
          },
          Raw {
           content: "allowSimultaneousMultithreading",
           position: (52, 14),
          },
         ],
        },
        FunctionApplication {
         function: Variable {
          identifier: "mkOption",
          position: (52, 48),
         },
         arguments: [
          Map {
           bindings: [
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "type",
                position: (53, 7),
               },
              ],
             },
             PropertyAccess {
              expression: Variable {
               identifier: "types",
               position: (53, 14),
              },
              attribute_path: AttributePath {
               attributes: [
                Raw {
                 content: "bool",
                 position: (53, 20),
                },
               ],
              },
              default: None,
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "default",
                position: (54, 7),
               },
              ],
             },
             Variable {
              identifier: "true",
              position: (54, 17),
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "description",
                position: (55, 7),
               },
              ],
             },
             String {
              parts: [
               Raw {
                content: "Whether to allow SMT/hyperthreading.  Disabling SMT means that only\nphysical CPU cores will be usable at runtime, potentially at\nsignificant performance cost.\n\nThe primary motivation for disabling SMT is to mitigate the risk of\nleaking data between threads running on the same CPU core (due to\ne.g., shared caches).  This attack vector is unproven.\n\nDisabling SMT is a supplement to the L1 data cache flushing mitigation\n(see <xref linkend=\"opt-security.virtualisation.flushL1DataCache\"/>)\nversus malicious VM guests (SMT could \"bring back\" previously flushed\ndata).\n",
                position: (56, 1),
               },
              ],
             },
            ),
           ],
           recursive: false,
           position: (52, 57),
          },
         ],
        },
       ),
       KeyValue(
        AttributePath {
         attributes: [
          Raw {
           content: "security",
           position: (71, 5),
          },
          Raw {
           content: "forcePageTableIsolation",
           position: (71, 14),
          },
         ],
        },
        FunctionApplication {
         function: Variable {
          identifier: "mkOption",
          position: (71, 40),
         },
         arguments: [
          Map {
           bindings: [
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "type",
                position: (72, 7),
               },
              ],
             },
             PropertyAccess {
              expression: Variable {
               identifier: "types",
               position: (72, 14),
              },
              attribute_path: AttributePath {
               attributes: [
                Raw {
                 content: "bool",
                 position: (72, 20),
                },
               ],
              },
              default: None,
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "default",
                position: (73, 7),
               },
              ],
             },
             Variable {
              identifier: "false",
              position: (73, 17),
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "description",
                position: (74, 7),
               },
              ],
             },
             String {
              parts: [
               Raw {
                content: "Whether to force-enable the Page Table Isolation (PTI) Linux kernel\nfeature even on CPU models that claim to be safe from Meltdown.\n\nThis hardening feature is most beneficial to systems that run untrusted\nworkloads that rely on address space isolation for security.\n",
                position: (75, 1),
               },
              ],
             },
            ),
           ],
           recursive: false,
           position: (71, 49),
          },
         ],
        },
       ),
       KeyValue(
        AttributePath {
         attributes: [
          Raw {
           content: "security",
           position: (83, 5),
          },
          Raw {
           content: "virtualisation",
           position: (83, 14),
          },
          Raw {
           content: "flushL1DataCache",
           position: (83, 29),
          },
         ],
        },
        FunctionApplication {
         function: Variable {
          identifier: "mkOption",
          position: (83, 48),
         },
         arguments: [
          Map {
           bindings: [
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "type",
                position: (84, 7),
               },
              ],
             },
             FunctionApplication {
              function: PropertyAccess {
               expression: Variable {
                identifier: "types",
                position: (84, 14),
               },
               attribute_path: AttributePath {
                attributes: [
                 Raw {
                  content: "nullOr",
                  position: (84, 20),
                 },
                ],
               },
               default: None,
              },
              arguments: [
               FunctionApplication {
                function: PropertyAccess {
                 expression: Variable {
                  identifier: "types",
                  position: (84, 28),
                 },
                 attribute_path: AttributePath {
                  attributes: [
                   Raw {
                    content: "enum",
                    position: (84, 34),
                   },
                  ],
                 },
                 default: None,
                },
                arguments: [
                 List {
                  elements: [
                   String {
                    parts: [
                     Raw {
                      content: "never",
                      position: (84, 42),
                     },
                    ],
                   },
                   String {
                    parts: [
                     Raw {
                      content: "cond",
                      position: (84, 50),
                     },
                    ],
                   },
                   String {
                    parts: [
                     Raw {
                      content: "always",
                      position: (84, 57),
                     },
                    ],
                   },
                  ],
                  position: (84, 39),
                 },
                ],
               },
              ],
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "default",
                position: (85, 7),
               },
              ],
             },
             Variable {
              identifier: "null",
              position: (85, 17),
             },
            ),
            KeyValue(
             AttributePath {
              attributes: [
               Raw {
                content: "description",
                position: (86, 7),
               },
              ],
             },
             String {
              parts: [
               Raw {
                content: "Whether the hypervisor should flush the L1 data cache before\nentering guests.\nSee also <xref linkend=\"opt-security.allowSimultaneousMultithreading\"/>.\n\n<variablelist>\n  <varlistentry>\n    <term><literal>null</literal></term>\n    <listitem><para>uses the kernel default</para></listitem>\n  </varlistentry>\n  <varlistentry>\n    <term><literal>\"never\"</literal></term>\n    <listitem><para>disables L1 data cache flushing entirely.\n    May be appropriate if all guests are trusted.</para></listitem>\n  </varlistentry>\n  <varlistentry>\n    <term><literal>\"cond\"</literal></term>\n    <listitem><para>flushes L1 data cache only for pre-determined\n    code paths.  May leak information about the host address space\n    layout.</para></listitem>\n  </varlistentry>\n  <varlistentry>\n    <term><literal>\"always\"</literal></term>\n    <listitem><para>flushes L1 data cache every time the hypervisor\n    enters the guest.  May incur significant performance cost.\n    </para></listitem>\n  </varlistentry>\n</variablelist>\n",
                position: (87, 1),
               },
              ],
             },
            ),
           ],
           recursive: false,
           position: (83, 57),
          },
         ],
        },
       ),
      ],
      recursive: false,
      position: (14, 13),
     },
    ),
    KeyValue(
     AttributePath {
      attributes: [
       Raw {
        content: "config",
        position: (118, 3),
       },
      ],
     },
     FunctionApplication {
      function: Variable {
       identifier: "mkMerge",
       position: (118, 12),
      },
      arguments: [
       List {
        elements: [
         FunctionApplication {
          function: Variable {
           identifier: "mkIf",
           position: (119, 6),
          },
          arguments: [
           UnaryOperation {
            operator: Not,
            operand: PropertyAccess {
             expression: Variable {
              identifier: "config",
              position: (119, 13),
             },
             attribute_path: AttributePath {
              attributes: [
               Raw {
                content: "security",
                position: (119, 20),
               },
               Raw {
                content: "allowUserNamespaces",
                position: (119, 29),
               },
              ],
             },
             default: None,
            },
            position: (119, 12),
           },
           Map {
            bindings: [
             KeyValue(
              AttributePath {
               attributes: [
                Raw {
                 content: "boot",
                 position: (123, 7),
                },
                Raw {
                 content: "kernel",
                 position: (123, 12),
                },
                Raw {
                 content: "sysctl",
                 position: (123, 19),
                },
                Expression {
                 expression: String {
                  parts: [
                   Raw {
                    content: "user.max_user_namespaces",
                    position: (123, 27),
                   },
                  ],
                 },
                },
               ],
              },
              Int {
               value: 0,
               position: (123, 55),
              },
             ),
             KeyValue(
              AttributePath {
               attributes: [
                Raw {
                 content: "assertions",
                 position: (125, 7),
                },
               ],
              },
              List {
               elements: [
                Map {
                 bindings: [
                  KeyValue(
                   AttributePath {
                    attributes: [
                     Raw {
                      content: "assertion",
                      position: (126, 11),
                     },
                    ],
                   },
                   BinaryOperation {
                    operator: Implication,
                    operands: [
                     PropertyAccess {
                      expression: Variable {
                       identifier: "config",
                       position: (126, 23),
                      },
                      attribute_path: AttributePath {
                       attributes: [
                        Raw {
                         content: "nix",
                         position: (126, 30),
                        },
                        Raw {
                         content: "settings",
                         position: (126, 34),
                        },
                        Raw {
                         content: "sandbox",
                         position: (126, 43),
                        },
                       ],
                      },
                      default: None,
                     },
                     PropertyAccess {
                      expression: Variable {
                       identifier: "config",
                       position: (126, 54),
                      },
                      attribute_path: AttributePath {
                       attributes: [
                        Raw {
                         content: "security",
                         position: (126, 61),
                        },
                        Raw {
                         content: "allowUserNamespaces",
                         position: (126, 70),
                        },
                       ],
                      },
                      default: None,
                     },
                    ],
                    position: (126, 51),
                   },
                  ),
                  KeyValue(
                   AttributePath {
                    attributes: [
                     Raw {
                      content: "message",
                      position: (127, 11),
                     },
                    ],
                   },
                   String {
                    parts: [
                     Raw {
                      content: "`nix.settings.sandbox = true` conflicts with `!security.allowUserNamespaces`.",
                      position: (127, 22),
                     },
                    ],
                   },
                  ),
                 ],
                 recursive: false,
                 position: (126, 9),
                },
               ],
               position: (125, 20),
              },
             ),
            ],
            recursive: false,
            position: (119, 50),
           },
          ],
         },
         FunctionApplication {
          function: Variable {
           identifier: "mkIf",
           position: (132, 6),
          },
          arguments: [
           PropertyAccess {
            expression: Variable {
             identifier: "config",
             position: (132, 11),
            },
            attribute_path: AttributePath {
             attributes: [
              Raw {
               content: "security",
               position: (132, 18),
              },
              Raw {
               content: "unprivilegedUsernsClone",
               position: (132, 27),
              },
             ],
            },
            default: None,
           },
           Map {
            bindings: [
             KeyValue(
              AttributePath {
               attributes: [
                Raw {
                 content: "boot",
                 position: (133, 7),
                },
                Raw {
                 content: "kernel",
                 position: (133, 12),
                },
                Raw {
                 content: "sysctl",
                 position: (133, 19),
                },
                Expression {
                 expression: String {
                  parts: [
                   Raw {
                    content: "kernel.unprivileged_userns_clone",
                    position: (133, 27),
                   },
                  ],
                 },
                },
               ],
              },
              FunctionApplication {
               function: Variable {
                identifier: "mkDefault",
                position: (133, 63),
               },
               arguments: [
                Variable {
                 identifier: "true",
                 position: (133, 73),
                },
               ],
              },
             ),
            ],
            recursive: false,
            position: (132, 51),
           },
          ],
         },
         FunctionApplication {
          function: Variable {
           identifier: "mkIf",
           position: (136, 6),
          },
          arguments: [
           PropertyAccess {
            expression: Variable {
             identifier: "config",
             position: (136, 11),
            },
            attribute_path: AttributePath {
             attributes: [
              Raw {
               content: "security",
               position: (136, 18),
              },
              Raw {
               content: "protectKernelImage",
               position: (136, 27),
              },
             ],
            },
            default: None,
           },
           Map {
            bindings: [
             KeyValue(
              AttributePath {
               attributes: [
                Raw {
                 content: "boot",
                 position: (138, 7),
                },
                Raw {
                 content: "kernelParams",
                 position: (138, 12),
                },
               ],
              },
              List {
               elements: [
                String {
                 parts: [
                  Raw {
                   content: "nohibernate",
                   position: (138, 30),
                  },
                 ],
                },
               ],
               position: (138, 27),
              },
             ),
             KeyValue(
              AttributePath {
               attributes: [
                Raw {
                 content: "boot",
                 position: (140, 7),
                },
                Raw {
                 content: "kernel",
                 position: (140, 12),
                },
                Raw {
                 content: "sysctl",
                 position: (140, 19),
                },
                Expression {
                 expression: String {
                  parts: [
                   Raw {
                    content: "kernel.kexec_load_disabled",
                    position: (140, 27),
                   },
                  ],
                 },
                },
               ],
              },
              FunctionApplication {
               function: Variable {
                identifier: "mkDefault",
                position: (140, 57),
               },
               arguments: [
                Variable {
                 identifier: "true",
                 position: (140, 67),
                },
               ],
              },
             ),
            ],
            recursive: false,
            position: (136, 46),
           },
          ],
         },
         FunctionApplication {
          function: Variable {
           identifier: "mkIf",
           position: (143, 6),
          },
          arguments: [
           UnaryOperation {
            operator: Not,
            operand: PropertyAccess {
             expression: Variable {
              identifier: "config",
              position: (143, 13),
             },
             attribute_path: AttributePath {
              attributes: [
               Raw {
                content: "security",
                position: (143, 20),
               },
               Raw {
                content: "allowSimultaneousMultithreading",
                position: (143, 29),
               },
              ],
             },
             default: None,
            },
            position: (143, 12),
           },
           Map {
            bindings: [
             KeyValue(
              AttributePath {
               attributes: [
                Raw {
                 content: "boot",
                 position: (144, 7),
                },
                Raw {
                 content: "kernelParams",
                 position: (144, 12),
                },
               ],
              },
              List {
               elements: [
                String {
                 parts: [
                  Raw {
                   content: "nosmt",
                   position: (144, 30),
                  },
                 ],
                },
               ],
               position: (144, 27),
              },
             ),
            ],
            recursive: false,
            position: (143, 62),
           },
          ],
         },
         FunctionApplication {
          function: Variable {
           identifier: "mkIf",
           position: (147, 6),
          },
          arguments: [
           PropertyAccess {
            expression: Variable {
             identifier: "config",
             position: (147, 11),
            },
            attribute_path: AttributePath {
             attributes: [
              Raw {
               content: "security",
               position: (147, 18),
              },
              Raw {
               content: "forcePageTableIsolation",
               position: (147, 27),
              },
             ],
            },
            default: None,
           },
           Map {
            bindings: [
             KeyValue(
              AttributePath {
               attributes: [
                Raw {
                 content: "boot",
                 position: (148, 7),
                },
                Raw {
                 content: "kernelParams",
                 position: (148, 12),
                },
               ],
              },
              List {
               elements: [
                String {
                 parts: [
                  Raw {
                   content: "pti=on",
                   position: (148, 30),
                  },
                 ],
                },
               ],
               position: (148, 27),
              },
             ),
            ],
            recursive: false,
            position: (147, 51),
           },
          ],
         },
         FunctionApplication {
          function: Variable {
           identifier: "mkIf",
           position: (151, 6),
          },
          arguments: [
           BinaryOperation {
            operator: NotEqualTo,
            operands: [
             PropertyAccess {
              expression: Variable {
               identifier: "config",
               position: (151, 12),
              },
              attribute_path: AttributePath {
               attributes: [
                Raw {
                 content: "security",
                 position: (151, 19),
                },
                Raw {
                 content: "virtualisation",
                 position: (151, 28),
                },
                Raw {
                 content: "flushL1DataCache",
                 position: (151, 43),
                },
               ],
              },
              default: None,
             },
             Variable {
              identifier: "null",
              position: (151, 63),
             },
            ],
            position: (151, 60),
           },
           Map {
            bindings: [
             KeyValue(
              AttributePath {
               attributes: [
                Raw {
                 content: "boot",
                 position: (152, 7),
                },
                Raw {
                 content: "kernelParams",
                 position: (152, 12),
                },
               ],
              },
              List {
               elements: [
                String {
                 parts: [
                  Raw {
                   content: "kvm-intel.vmentry_l1d_flush=",
                   position: (152, 30),
                  },
                  Expression {
                   expression: PropertyAccess {
                    expression: Variable {
                     identifier: "config",
                     position: (152, 60),
                    },
                    attribute_path: AttributePath {
                     attributes: [
                      Raw {
                       content: "security",
                       position: (152, 67),
                      },
                      Raw {
                       content: "virtualisation",
                       position: (152, 76),
                      },
                      Raw {
                       content: "flushL1DataCache",
                       position: (152, 91),
                      },
                     ],
                    },
                    default: None,
                   },
                  },
                 ],
                },
               ],
               position: (152, 27),
              },
             ),
            ],
            recursive: false,
            position: (151, 69),
           },
          ],
         },
        ],
        position: (118, 20),
       },
      ],
     },
    ),
   ],
   recursive: false,
   position: (5, 1),
  },
  position: (3, 1),
 },
 position: (1, 1),
}