From d5d41960f4afba9e20e5d5294a137c405ce02d42 Mon Sep 17 00:00:00 2001
From: s0me1newithhand7s <git+me@hand7s.org>
Date: Sun, 3 May 2026 19:05:21 +0300
Subject: [PATCH] kyra(hardening): security defaults init

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
---
 kyra/security/defaults.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 kyra/security/defaults.nix

diff --git a/kyra/security/defaults.nix b/kyra/security/defaults.nix
new file mode 100644
index 0000000..ffd8c5a
--- /dev/null
+++ b/kyra/security/defaults.nix
@@ -0,0 +1,13 @@
+_: {
+  security = {
+    unprivilegedUsernsClone = false;
+    forcePageTableIsolation = true;
+    allowSimultaneousMultithreading = false;
+    protectKernelImage = true;
+    lockKernelModules = true;
+
+    virtualisation = {
+      flushL1DataCache = "always";
+    };
+  };
+}