diff --git a/home/laozi/common/core/firejail.nix b/home/laozi/common/core/firejail.nix
new file mode 100644
index 0000000..7f2face
--- /dev/null
+++ b/home/laozi/common/core/firejail.nix
@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+{
+  programs.firejail = {
+    enable = true;
+    wrappedBinaries = {
+      librewolf = {
+        executable = "${pkgs.librewolf}/bin/librewolf";
+        profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
+        extraArgs = [
+          # Required for U2F USB stick
+          "--ignore=private-dev"
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          # Enable system notifications
+          "--dbus-user.talk=org.freedesktop.Notifications"
+        ];
+      };
+      signal-desktop = {
+        # Enable tray icon otherwise Signal window might be hidden
+        executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
+        profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
+        extraArgs = [
+          # Enforce dark mode
+          "--env=GTK_THEME=Adwaita:dark"
+          #TODO: Enable Wayland mode
+          #"--env=NIXOS_OZONE_WL=1"
+          # Allow tray icon (should be upstreamed into signal-desktop.profile)
+          "--dbus-user.talk=org.kde.StatusNotifierWatcher"
+        ];
+      };
+    };
+  };
+}
+
diff --git a/systems/common/core/services/default.nix b/systems/common/core/services/default.nix
new file mode 100644
index 0000000..172dd86
--- /dev/null
+++ b/systems/common/core/services/default.nix
@@ -0,0 +1,4 @@
+{ configLib, ... }:
+{ 
+  import = (configLib.scanPaths ./.);
+}
diff --git a/systems/common/core/services/fail2ban.nix b/systems/common/core/services/fail2ban.nix
new file mode 100644
index 0000000..7a6fdba
--- /dev/null
+++ b/systems/common/core/services/fail2ban.nix
@@ -0,0 +1,64 @@
+# http://web.archive.org/web/20240621185719/https://dataswamp.org/~solene/2022-10-02-nixos-fail2ban.html
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "192.168.1.0/24"
+    ]; 
+  # needed to ban on IPv4 and IPv6 for all ports
+    extraPackages = [pkgs.ipset];
+    banaction = "iptables-ipset-proto6-allports";
+  
+  
+  jails = {
+
+    # max 6 failures in 600 seconds
+    "nginx-spam" = ''
+      enabled  = true
+      filter   = nginx-bruteforce
+      logpath = /var/log/nginx/access.log
+      backend = auto
+      maxretry = 6
+      findtime = 600
+    '';
+
+    # max 3 failures in 600 seconds
+    "postfix-bruteforce" = ''
+      enabled = true
+      filter = postfix-bruteforce
+      findtime = 600
+      maxretry = 3
+    '';
+
+    # max 10 failures in 600 seconds
+    "molly" = ''
+      enabled = true
+      filter = molly
+      findtime = 600
+      maxretry = 10
+      logpath = /var/log/molly-brown/access.log
+      backend = auto
+    '';
+  };
+  environment.etc = {
+    "fail2ban/filter.d/molly.conf".text = ''
+      [Definition]
+      failregex = <HOST>\s+(31|40|51|53).*$
+    '';
+
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
+    '';
+
+    "fail2ban/filter.d/postfix-bruteforce.conf".text = ''
+      [Definition]
+      failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
+      journalmatch = _SYSTEMD_UNIT=postfix.service
+    '';
+  };
+
+
+
+  
+}
diff --git a/systems/common/core/services/firejail.nix b/systems/common/core/services/firejail.nix
new file mode 100644
index 0000000..569e214
--- /dev/null
+++ b/systems/common/core/services/firejail.nix
@@ -0,0 +1,2 @@
+{ pkgs, ... }:
+{ }