diff --git a/hosts/lappy/lappy.nix b/hosts/lappy/lappy.nix
index e9213b4..0db33a0 100644
--- a/hosts/lappy/lappy.nix
+++ b/hosts/lappy/lappy.nix
@@ -5,6 +5,7 @@
     users.root
     users.chaoticryptidz
 
+    profiles.hardening
     profiles.tailscale
     profiles.gui
     profiles.laptop
@@ -20,8 +21,6 @@
     profiles.sshd
   ];
 
-  networking.firewall.enable = true;
-
   home-manager.users.root = { imports = with tree; [ home.base ]; };
   home-manager.users.chaoticryptidz = {
     imports = with tree; [
@@ -42,6 +41,10 @@
     ];
   };
 
+  networking.firewall.enable = true;
+  # let vscode, vivaldi, etc work.
+  security.unprivilegedUsernsClone = true;
+
   networking.hostName = "lappy";
   time.timeZone = "Europe/London";
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
diff --git a/profiles/base/hardware.nix b/profiles/base/hardware.nix
index 4256acc..693730e 100644
--- a/profiles/base/hardware.nix
+++ b/profiles/base/hardware.nix
@@ -3,6 +3,5 @@
   hardware.enableAllFirmware = true;
   hardware.cpu.intel.updateMicrocode = true;
   hardware.cpu.amd.updateMicrocode = true;
-  hardware.ksm.enable = true;
   hardware.wirelessRegulatoryDatabase = true;
 }
diff --git a/profiles/hardening/hardening.nix b/profiles/hardening/hardening.nix
new file mode 100644
index 0000000..949666c
--- /dev/null
+++ b/profiles/hardening/hardening.nix
@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }: {
+  # modified from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
+  # but with some stuff not turned on
+
+  boot.kernelPackages = pkgs.linuxPackages_hardened;
+
+  environment.memoryAllocator.provider = "scudo";
+  environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
+
+  # TODO: this breaks NetworkManager
+  # security.lockKernelModules = true;
+
+  security.protectKernelImage = true;
+
+  security.forcePageTableIsolation = true;
+
+  # This is required by podman to run containers in rootless mode.
+  security.unprivilegedUsernsClone = lib.mkDefault config.virtualisation.containers.enable;
+
+  security.virtualisation.flushL1DataCache = "always";
+
+  boot.kernelParams = [
+    # Slab/slub sanity checks, redzoning, and poisoning
+    "slub_debug=FZP"
+
+    # Overwrite free'd memory
+    "page_poison=1"
+
+    # Enable page allocator randomization
+    "page_alloc.shuffle=1"
+
+    # Disable slab merging
+    "slab_nomerge"
+
+    # Zero memory on alloc and init
+    # Scudo should do this but make kernel do it as well
+    "init_on_alloc=1"
+    "init_on_free=1"
+
+    # Make page allocations less predictable
+    "page_alloc.shuffle=1"
+
+    # Turn on page table isolation
+    "pti=on"
+
+    # Disable vsyscalls
+    "vsyscall=none"
+
+    # Disable debugfs
+    "debugfs=off"
+  ];
+
+  boot.kernel.sysctl = {
+    # Restrict ptrace() usage to processes with a pre-defined relationship
+    # (e.g., parent/child)
+    "kernel.yama.ptrace_scope" = 1;
+
+    # Hide kptrs even for processes with CAP_SYSLOG
+    "kernel.kptr_restrict" = 2;
+
+    # Disable bpf() JIT (to eliminate spray attacks)
+    "net.core.bpf_jit_enable" = false;
+
+    # Disable unprivileged bpf
+    "kernel.unprivileged_bpf_disabled" = 1;
+
+    # Disable ftrace debugging
+    "kernel.ftrace_enabled" = false;
+
+    # Disable kexec
+    "kernel.kexec_load_disabled" = 1;
+
+    # Disable sysrq
+    "kernel.sysrq" = 0;
+
+    # Enable strict reverse path filtering (that is, do not attempt to route
+    # packets that "obviously" do not belong to the iface's network; dropped
+    # packets are logged as martians).
+    "net.ipv4.conf.all.log_martians" = true;
+    "net.ipv4.conf.all.rp_filter" = "1";
+    "net.ipv4.conf.default.log_martians" = true;
+    "net.ipv4.conf.default.rp_filter" = "1";
+
+    # Ignore broadcast ICMP (mitigate SMURF)
+    "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
+    # setting is applied to interfaces added after the sysctls are set)
+    "net.ipv4.conf.all.accept_redirects" = false;
+    "net.ipv4.conf.all.secure_redirects" = false;
+    "net.ipv4.conf.default.accept_redirects" = false;
+    "net.ipv4.conf.default.secure_redirects" = false;
+    "net.ipv6.conf.all.accept_redirects" = false;
+    "net.ipv6.conf.default.accept_redirects" = false;
+
+    # Ignore outgoing ICMP redirects (this is ipv4 only)
+    "net.ipv4.conf.all.send_redirects" = false;
+    "net.ipv4.conf.default.send_redirects" = false;
+  };
+}