diff --git a/TODO.md b/TODO.md
index 3c8bf5f..4bebd2a 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,6 +1,3 @@
 * fix: special workspace preload always loads first. Toggling it back is easy, but i'd rather create a new sh script that forces back to normal workspace.
-* add: hypridle
 * add: similar to omarchy-menu
 * cleanup: stylix configurations and wallpaper
-* cleanup: convert `anonymize` fixme's to secret keys
-* add: hyprlock
diff --git a/modules/nixos/boot.nix b/modules/nixos/boot.nix
index 9999b49..38aedc7 100644
--- a/modules/nixos/boot.nix
+++ b/modules/nixos/boot.nix
@@ -6,6 +6,7 @@
       timeout = 0;
       systemd-boot = {
         enable = true;
+        editor = false;
       };
 
       efi = {
diff --git a/modules/nixos/hardware.nix b/modules/nixos/hardware.nix
index 1ae3d3d..5da7b93 100644
--- a/modules/nixos/hardware.nix
+++ b/modules/nixos/hardware.nix
@@ -6,7 +6,7 @@
   hardware = {
     bluetooth = {
       enable = true;
-      powerOnBoot = true;
+      powerOnBoot = false;
     };
   };
   networking = {
@@ -16,8 +16,8 @@
     wireless.iwd.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [22 80];
-      allowedUDPPorts = [53];
+      allowedTCPPorts = [];
+      allowedUDPPorts = [];
     };
   };
 }
diff --git a/modules/nixos/kernel.nix b/modules/nixos/kernel.nix
index f158eab..c2389bf 100644
--- a/modules/nixos/kernel.nix
+++ b/modules/nixos/kernel.nix
@@ -5,9 +5,21 @@
       "quiet"
       "splash"
       "intremap=on"
-      "boot.shell_on_fail"
       "udev.log_priority=3"
       "rd.systemd.show_status=auto"
+      # Security hardening
+      "slab_nomerge"
+      "init_on_alloc=1"
+      "init_on_free=1"
+      "page_alloc.shuffle=1"
+      "randomize_kstack_offset=on"
+      "vsyscall=none"
     ];
+    kernel.sysctl = {
+      "kernel.dmesg_restrict" = 1;
+      "kernel.kptr_restrict" = 2;
+      "kernel.unprivileged_bpf_disabled" = 1;
+      "net.core.bpf_jit_harden" = 2;
+    };
   };
 }
diff --git a/modules/nixos/security.nix b/modules/nixos/security.nix
index 0d726ce..75df300 100644
--- a/modules/nixos/security.nix
+++ b/modules/nixos/security.nix
@@ -5,6 +5,15 @@
   ...
 }: {
   security.pam.services.greetd.enableGnomeKeyring = true;
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = true;
+    execWheelOnly = true;
+    extraConfig = ''
+      Defaults timestamp_timeout=15
+      Defaults passwd_tries=3
+    '';
+  };
   environment.systemPackages = with pkgs; [
     sops
     age
diff --git a/modules/nixos/services.nix b/modules/nixos/services.nix
index 072c11e..deddea6 100644
--- a/modules/nixos/services.nix
+++ b/modules/nixos/services.nix
@@ -18,7 +18,6 @@
     };
 
     # essentials
-    openssh.enable = true; # FIXME: remove when done
     blueman.enable = true;
 
     # for encryption support for unfree apps
@@ -29,7 +28,7 @@
     avahi = {
       enable = true;
       nssmdns4 = true;
-      openFirewall = true;
+      openFirewall = false;
     };
     pipewire = {
       enable = true;