diff --git a/hosts/Equinox/default.nix b/hosts/Equinox/default.nix
index 7d64d7b..ffc9bd5 100644
--- a/hosts/Equinox/default.nix
+++ b/hosts/Equinox/default.nix
@@ -20,6 +20,7 @@ in
 
     # Import system configuration
     ../../modules/system.nix
+    ../../modules/harden.nix
     ../../modules/kde.nix
   ];
 
diff --git a/modules/harden.nix b/modules/harden.nix
new file mode 100644
index 0000000..0d9c819
--- /dev/null
+++ b/modules/harden.nix
@@ -0,0 +1,23 @@
+{
+  networking.firewall.enable = true;
+
+  security.sudo.execWheelOnly = true;
+
+  security.sudo.wheelNeedsPassword = true;
+
+  security.auditd.enable = true;
+  security.audit.enable = true;
+
+  services = {
+    openssh = {
+      enable = true;
+      settings.PermitRootLogin = "no"; # distributed-build.nix requires it
+      settings.PasswordAuthentication = false;
+      allowSFTP = false;
+    };
+    fail2ban = {
+      enable = true;
+    };
+  };
+  nix.settings.allowed-users = [ "root" "@users" ];
+}
diff --git a/modules/system.nix b/modules/system.nix
index 47dc61b..8720c76 100644
--- a/modules/system.nix
+++ b/modules/system.nix
@@ -1,15 +1,9 @@
 { config, pkgs, ... }:
 
 {
-
   # Enable CUPS to print documents.
   services.printing.enable = true;
 
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
   # Enable the OpenSSH daemon.
   services.openssh = {
     enable = true;
@@ -24,15 +18,19 @@
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
+  # Add system packages
   environment.systemPackages = with pkgs; [
-    git
   ];
 
+  # Enable fish shell
+  programs.fish.enable = true;
+
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.panotaka = {
     isNormalUser = true;
     description = "panotaka";
     extraGroups = [ "networkmanager" "wheel" ];
+    shell = pkgs.fish;
     openssh.authorizedKeys.keys = [
     ];
   };