diff --git a/common/boot.nix b/common/boot.nix
index 66939f6..985e701 100644
--- a/common/boot.nix
+++ b/common/boot.nix
@@ -10,10 +10,6 @@
       };
     };
 
-    # otherwise /tmp is on disk. This *may* be problematic as nix
-    # builds in /tmp but I think my swap is large enough...
-    tmp.useTmpfs = true;
-
     kernelPackages = pkgs.linuxPackages_6_12;
     kernel.sysctl."kernel.sysrq" = 1;
 
diff --git a/common/default.nix b/common/default.nix
index f38170d..57fac8e 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -11,5 +11,6 @@
     ./users.nix
   ];
 
+  environment.defaultPackages = [ ];
   networking.extraHosts = var.lan-dns.hostsFile;
 }
diff --git a/common/security.nix b/common/security.nix
index 9691095..6c9234f 100644
--- a/common/security.nix
+++ b/common/security.nix
@@ -5,8 +5,38 @@
   ...
 }:
 {
+  boot = {
+    kernel.sysctl = {
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.all.rp_filter" = 1;
+
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+
+      "net.ipv4.tcp_syncookies" = 1;
+      "net.ipv4.tcp_rfc1337" = 1;
+
+      "net.ipv4.tcp_fastopen" = 3;
+    };
+    # otherwise /tmp is on disk. This *may* be problematic as nix
+    # builds in /tmp but I think my swap is large enough...
+    tmp.useTmpfs = lib.mkDefault true;
+    tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
+  };
+
   security = {
     protectKernelImage = true;
+
     sudo.enable = false;
     doas = {
       enable = true;
diff --git a/desktop/security.nix b/desktop/security.nix
index 564c619..b30b6b6 100644
--- a/desktop/security.nix
+++ b/desktop/security.nix
@@ -11,8 +11,6 @@ in
 {
   options.hd.desktop.security.enable = mkEnableOption "Security";
   config = mkIf cfg.enable {
-    security = {
-
-    };
+    security = { };
   };
 }