diff --git a/modules/nixos/config/security/default.nix b/modules/nixos/config/security/default.nix
index 7253e22..559f12b 100644
--- a/modules/nixos/config/security/default.nix
+++ b/modules/nixos/config/security/default.nix
@@ -50,6 +50,24 @@ in {
     #};
   };
 
+  boot.kernel.sysctl = {
+    "dev.tty.ldisc_autoload" = 0;
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+    "fs.suid_dumpable" = 0;
+    "kernel.kptr_restrict" = 2;
+    # "kernel.modules_disabled" = 1;
+    "kernel.sysrq" = 0;
+    "kernel.unprivileged_bpf_disabled" = 1;
+    "net.ipv4.conf.all.forwarding" = 0;
+    "net.ipv4.conf.all.log_martians" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.default.log_martians" = 1;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+  };
   boot.kernelParams = [
     "amd_iommu=force_isolation"
     "debugfs=off"