diff --git a/flake.lock b/flake.lock
index 42ab6b6..2b94209 100644
--- a/flake.lock
+++ b/flake.lock
@@ -423,11 +423,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1711485334,
-        "narHash": "sha256-qOHrFSfo6W5J5RkkJy7xLSECKaK/NITQXfeh715fD7s=",
+        "lastModified": 1711717242,
+        "narHash": "sha256-PW9J9sFw5DA4Fo3Cq4Soc+an6tjTS4VV2NxG6G0UMqw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e19e9bceda53148e8dd6e8f54bf19375e5e60af9",
+        "rev": "824952ff6b32b0019465b139b5c76d915ec074ea",
         "type": "github"
       },
       "original": {
@@ -439,11 +439,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1711333969,
-        "narHash": "sha256-5PiWGn10DQjMZee5NXzeA6ccsv60iLu+Xtw+mfvkUAs=",
+        "lastModified": 1711523803,
+        "narHash": "sha256-UKcYiHWHQynzj6CN/vTcix4yd1eCu1uFdsuarupdCQQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "57e6b3a9e4ebec5aa121188301f04a6b8c354c9b",
+        "rev": "2726f127c15a4cc9810843b96cad73c7eb39e443",
         "type": "github"
       },
       "original": {
@@ -487,11 +487,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1711124224,
-        "narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=",
+        "lastModified": 1711460390,
+        "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "56528ee42526794d413d6f244648aaee4a7b56c0",
+        "rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
         "type": "github"
       },
       "original": {
diff --git a/hosts/droppie/networking.nix b/hosts/droppie/networking.nix
index e1b74d3..56bece7 100644
--- a/hosts/droppie/networking.nix
+++ b/hosts/droppie/networking.nix
@@ -15,7 +15,6 @@
 
   # Allow pub.solar restic backups
   services.openssh.allowSFTP = true;
-  services.openssh.openFirewall = true;
 
   age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
 
diff --git a/hosts/frikandel/configuration.nix b/hosts/frikandel/configuration.nix
index e5088e0..2173e57 100644
--- a/hosts/frikandel/configuration.nix
+++ b/hosts/frikandel/configuration.nix
@@ -44,7 +44,6 @@ in {
   };
 
   boot.supportedFilesystems = [ "zfs" ];
-  boot.kernelPackages = pkgs.linuxPackages_6_1;
 
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
diff --git a/hosts/frikandel/networking.nix b/hosts/frikandel/networking.nix
index 5d9025c..e535c3d 100644
--- a/hosts/frikandel/networking.nix
+++ b/hosts/frikandel/networking.nix
@@ -14,8 +14,6 @@
     "2a0f:fc81::" #dns0.eu
   ];
 
-  services.openssh.openFirewall = true;
-
   # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
   networking.useDHCP = false;
   networking.interfaces.enp1s0 = {
diff --git a/hosts/pie/configuration.nix b/hosts/pie/configuration.nix
index 057431e..d2493ce 100644
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@@ -21,7 +21,7 @@ in {
   boot.loader.generic-extlinux-compatible.enable = false;
 
   boot.supportedFilesystems = [ "zfs" ];
-  boot.kernelPackages = pkgs.linuxPackages_6_1;
+  boot.kernelPackages = pkgs.linuxPackages_6_1_hardened;
 
   boot.kernelParams = [
     "boot.shell_on_fail=1"
diff --git a/hosts/pie/networking.nix b/hosts/pie/networking.nix
index 3afadf5..ff0e5bf 100644
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@@ -27,7 +27,6 @@
     "192.168.178.3" = [ "droppie-initrd.b12f.io" ];
   };
 
-  services.openssh.openFirewall = true;
   services.openssh.allowSFTP = true;
 
   age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";
diff --git a/modules/core/boot.nix b/modules/core/boot.nix
index 00a843e..bc4cb8e 100644
--- a/modules/core/boot.nix
+++ b/modules/core/boot.nix
@@ -12,7 +12,7 @@ in {
       loader.systemd-boot.enable = lib.mkDefault true;
 
       # Use latest LTS linux kernel by default
-      kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+      kernelPackages = lib.mkDefault pkgs.linuxPackages_6_7_hardened;
 
       # Support ntfs drives
       supportedFilesystems = ["ntfs"];
diff --git a/modules/core/default.nix b/modules/core/default.nix
index 3e388c7..1bca93e 100644
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@@ -13,26 +13,9 @@ in {
     ./i18n.nix
     ./networking.nix
     ./packages.nix
+    ./hardening.nix
   ];
 
   # Service that makes Out of Memory Killer more effective
   services.earlyoom.enable = true;
-
-  services.logind.lidSwitch = "hibernate";
-
-  services.tor.settings = {
-    UseBridges = true;
-  };
-
-  # The options below are directly taken from or inspired by
-  # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
-
-  # Limit the use of sudo to the group wheel
-  security.sudo.execWheelOnly = true;
-
-  # Remove the complete default environment of packages like
-  # nano, perl and rsync
-  environment.defaultPackages = lib.mkForce [];
-
-  # fileSystems."/".options = [ "noexec" ];
 }
diff --git a/modules/core/hardening.nix b/modules/core/hardening.nix
new file mode 100644
index 0000000..2140c8d
--- /dev/null
+++ b/modules/core/hardening.nix
@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.pub-solar.core;
+  psCfg = config.pub-solar;
+in {
+  services.tor.settings = {
+    UseBridges = true;
+  };
+
+  # Always go to encrypted hibernation instead of sleep
+  services.logind.lidSwitch = "hibernate";
+
+  # The options below are directly taken from or inspired by
+  # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+
+  # Limit the use of sudo to the group wheel
+  security.sudo.execWheelOnly = true;
+
+  # Remove the complete default environment of packages like
+  # nano, perl and rsync
+  environment.defaultPackages = lib.mkForce [];
+
+  # fileSystems."/".options = [ "noexec" ];
+
+  # disable coredump that could be exploited later
+  # and also slow down the system when something crash
+  systemd.coredump.enable = false;
+
+  # required to run chromium
+  security.chromiumSuidSandbox.enable = true;
+
+  # enable firejail
+  programs.firejail.enable = true;
+
+  # create system-wide executables firefox and chromium
+  # that will wrap the real binaries so everything
+  # work out of the box.
+  programs.firejail.wrappedBinaries = {
+    firefox = {
+      executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
+      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+    };
+    ungoogled-chromium = {
+      executable = "${pkgs.lib.getBin pkgs.ungoogled-chromium}/bin/chromium";
+      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
+    };
+  };
+
+  # enable antivirus clamav and
+  # keep the signatures' database updated
+  services.clamav.daemon.enable = true;
+  services.clamav.updater.enable = true;
+}
diff --git a/modules/core/networking.nix b/modules/core/networking.nix
index c0e5e17..5880227 100644
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@@ -37,6 +37,9 @@
     '';
   };
 
+  # Don't expose SSH via public interfaces
+  networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 22 ];
+
   # For rage encryption, all hosts need a ssh key pair
   services.openssh = {
     enable = true;
diff --git a/modules/persistence/default.nix b/modules/persistence/default.nix
index 435e136..ae6b6b3 100644
--- a/modules/persistence/default.nix
+++ b/modules/persistence/default.nix
@@ -8,6 +8,7 @@
       "/var/lib/nixos"
       "/var/lib/systemd/coredump"
       "/etc/NetworkManager/system-connections"
+      "/etc/firejail"
     ];
 
     files = [