diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix
index 0712153..985f68b 100644
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@@ -6,6 +6,7 @@ _: {
         ./disable-nano.nix
         ./disk.nix
         ./docs.nix
+        ./fs-hardening.nix
         ./nix.nix
         ./oomd.nix
         ./permit-olm.nix
diff --git a/hosts/common/core/fs-hardening.nix b/hosts/common/core/fs-hardening.nix
new file mode 100644
index 0000000..26fd1f3
--- /dev/null
+++ b/hosts/common/core/fs-hardening.nix
@@ -0,0 +1,8 @@
+_: {
+    fileSystems = let
+        defaults = [ "nodev" "nosuid" "noexec" ];
+    in {
+        "/boot".options = defaults;
+        "/var/log".options = defaults;
+    };
+}