diff --git a/configuration.nix b/configuration.nix
index ae71767..e9d1265 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -18,6 +18,7 @@
     ./modules/age-secrets.nix
     ./modules/secureboot.nix
     ./modules/no-rgb.nix
+    ./modules/security.nix
 
     ./services/postgresql.nix
     ./services/jellyfin.nix
diff --git a/modules/security.nix b/modules/security.nix
new file mode 100644
index 0000000..d4d057b
--- /dev/null
+++ b/modules/security.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  # memory allocator
+  # BREAKS REDIS-IMMICH
+  # environment.memoryAllocator.provider = "graphene-hardened";
+
+  # disable coredumps
+  systemd.coredump.enable = false;
+
+  services = {
+    dbus.implementation = "broker";
+    /*
+      logrotate.enable = true;
+      journald = {
+        storage = "volatile"; # Store logs in memory
+        upload.enable = false; # Disable remote log upload (the default)
+        extraConfig = ''
+          SystemMaxUse=500M
+          SystemMaxFileSize=50M
+        '';
+      };
+    */
+  };
+}