diff --git a/modules/security.nix b/modules/security.nix
index c4db9ad..32fbd61 100755
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -13,40 +13,40 @@ in {
     tmp.useTmpfs = lib.mkDefault true;
     tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
     
-      kernel.sysctl = {
-        # magic sysrq key, allows low-level commands through keyboard input
-        "kernel.sysrq" = 0;
+    kernel.sysctl = {
+      # magic sysrq key, allows low-level commands through keyboard input
+      "kernel.sysrq" = 0;
 
-        ## TCP hardening
-        # prevent bogus ICMP errors from filling up logs
-        "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-        # do not accept IP source packets (we are not a router)
-        "net.ipv4.conf.all.accept_source_route" = 0;
-        "net.ipv6.conf.all.accept_source_route" = 0;
-        # don't send ICMP redirects (again, we're not a router)
-        "net.ipv4.conf.all.send_redirects" = 0;
-        "net.ipv4.conf.default.send_redirects" = 0;
-        # refuse ICMP redirects (MITM mitigations)
-        "net.ipv4.conf.all.accept_redirects" = 0;
-        "net.ipv4.conf.default.accept_redirects" = 0;
-        "net.ipv4.conf.all.secure_redirects" = 0;
-        "net.ipv4.conf.default.secure_redirects" = 0;
-        "net.ipv6.conf.all.accept_redirects" = 0;
-        "net.ipv6.conf.default.accept_redirects" = 0;
-        # protects against SYN flood attacks
-        "net.ipv4.tcp_syncookies" = 1;
-        # incomplete protection against TIME-WAIT assassination
-        "net.ipv4.tcp_rfc1337" = 1;
+      ## TCP hardening
+      # prevent bogus ICMP errors from filling up logs
+      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+      # do not accept IP source packets (we are not a router)
+      "net.ipv4.conf.all.accept_source_route" = 0;
+      "net.ipv6.conf.all.accept_source_route" = 0;
+      # don't send ICMP redirects (again, we're not a router)
+      "net.ipv4.conf.all.send_redirects" = 0;
+      "net.ipv4.conf.default.send_redirects" = 0;
+      # refuse ICMP redirects (MITM mitigations)
+      "net.ipv4.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.default.accept_redirects" = 0;
+      "net.ipv4.conf.all.secure_redirects" = 0;
+      "net.ipv4.conf.default.secure_redirects" = 0;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv6.conf.default.accept_redirects" = 0;
+      # protects against SYN flood attacks
+      "net.ipv4.tcp_syncookies" = 1;
+      # incomplete protection against TIME-WAIT assassination
+      "net.ipv4.tcp_rfc1337" = 1;
 
-        ## TCP optimization
-        # TCP fastopen
-        "net.ipv4.tcp_fastopen" = 3;
-        # bufferbloat mitigations + improvement in throughput and latency
-        "net.ipv4.tcp_conjestion_control" = "bbr";
-        "net.core.default_qdisc" = "cake";
-      };
-      kernelModules = [ "tcp_bbr" ];
+      ## TCP optimization
+      # TCP fastopen
+      "net.ipv4.tcp_fastopen" = 3;
+      # bufferbloat mitigations + improvement in throughput and latency
+      "net.ipv4.tcp_conjestion_control" = "bbr";
+      "net.core.default_qdisc" = "cake";
     };
+    kernelModules = [ "tcp_bbr" ];
+  };
 
     security = {
       # prevents replacing the kernel without a reboot
@@ -59,6 +59,8 @@ in {
 
     # personal computer? no firewall ty :3
     networking.firewall.enable = false;
+
+    # TODO: usbguard
   } // (mkIf cfg.useDoas {
     security.sudo.enable = false;
     security.doas.enable = true;