diff --git a/kyra/security/defaults.nix b/kyra/security/defaults.nix
new file mode 100644
index 0000000..ffd8c5a
--- /dev/null
+++ b/kyra/security/defaults.nix
@@ -0,0 +1,13 @@
+_: {
+  security = {
+    unprivilegedUsernsClone = false;
+    forcePageTableIsolation = true;
+    allowSimultaneousMultithreading = false;
+    protectKernelImage = true;
+    lockKernelModules = true;
+
+    virtualisation = {
+      flushL1DataCache = "always";
+    };
+  };
+}