diff --git a/nixos/profiles/common/core/hardening/default.nix b/nixos/profiles/common/core/hardening/default.nix
index 1961e0b..de599e8 100644
--- a/nixos/profiles/common/core/hardening/default.nix
+++ b/nixos/profiles/common/core/hardening/default.nix
@@ -4,7 +4,6 @@
   # ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html
   imports = [
     ./sysctl.nix
-    ./systemd.nix
   ];
 
   environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id
diff --git a/nixos/profiles/common/core/hardening/systemd.nix b/nixos/profiles/common/core/hardening/systemd.nix
deleted file mode 100644
index 8ddf203..0000000
--- a/nixos/profiles/common/core/hardening/systemd.nix
+++ /dev/null
@@ -1,245 +0,0 @@
-# https://github.com/CPlusPatch/infra/blob/fe96d6cc9a71c81fc5326cd1b1115ed8ae8f0073/traits/hardening/systemd.nix
-# https://github.com/accelbread/config-flake/blob/d69a8b2d636b322fa1e8ba853bfbf23f9a858e38/nix/nixosModules/tailscale.nix
-{
-  systemd.services = {
-    NetworkManager.serviceConfig = {
-      RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX";
-      ProtectHome = true;
-      ProtectSystem = "strict";
-      ProtectProc = "invisible";
-      ReadWritePaths = "/etc -/proc/sys/net -/var/lib/NetworkManager/";
-      PrivateTmp = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      CapabilityBoundingSet = "~CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_SYS_CHROOT";
-      NoNewPrivileges = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallFilter = "@system-service @privileged";
-      SystemCallArchitectures = "native";
-    };
-
-    bluetooth.serviceConfig = {
-      RestrictAddressFamilies = "AF_UNIX AF_BLUETOOTH";
-      IPAddressDeny = "any";
-      ProtectSystem = "strict";
-      ReadWritePaths = "-/var/lib/bluetooth -/run/systemd/unit-root";
-      PrivateTmp = true;
-      ProtectProc = "ptraceable";
-      ProcSubset = "pid";
-      DevicePolicy = "closed";
-      DeviceAllow = ["/dev/rfkill rw" "/dev/uinput rw"];
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      NoNewPrivileges = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallFilter = ["@system-service" "~@resources @privileged"];
-      SystemCallArchitectures = "native";
-    };
-
-    cups.serviceConfig = {
-      RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
-      IPAddressDeny = "any";
-      IPAddressAllow = ["localhost" "192.168.1.0/8" "172.16.1.0/8" "10.0.1.0/8"];
-      ProtectHome = true;
-      ProtectSystem = "strict";
-      ReadWritePaths = "/etc/cups /etc/printcap /var/cache/cups /var/spool/cups";
-      LogsDirectory = "cups";
-      RuntimeDirectory = "cups";
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      CapabilityBoundingSet = "CAP_CHOWN CAP_AUDIT_WRITE CAP_DAC_OVERRIDE CAP_FSETID CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallFilter = "@system-service";
-      SystemCallArchitectures = "native";
-    };
-
-    systemd-networkd.serviceConfig = {
-      After = "apparmor.service systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service";
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    auditd.serviceConfig = {
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    NetworkManager-dispatcher.serviceConfig = {
-      ProtectHome = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    emergency.serviceConfig = {
-      ProtectHome = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      SystemCallFilter = "~@clock @cpu-emulation @obsolete @module @raw-io @swap";
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    logrotate.serviceConfig = {
-      ProtectHome = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    power-profiles-daemon.serviceConfig = {
-      ProtectHome = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @swap";
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    ncsd.serviceConfig = {
-      ProtectHome = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    reload-systemd-vconsole-setup.serviceConfig = {
-      ProtectHome = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    rescue.serviceConfig = {
-      ProtectHome = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
-      ProtectControlGroups = true;
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-    };
-
-    tailscaled.environment.TS_DEBUG_FIREWALL_MODE = "nftables"; # iptables requires root
-    tailscaled.serviceConfig = {
-      AmbientCapabilities = ["CAP_NET_RAW" "CAP_NET_ADMIN"];
-      CapabilityBoundingSet = ["CAP_NET_RAW" "CAP_NET_ADMIN"];
-      DeviceAllow = "/dev/net/tun rw";
-      DevicePolicy = "closed";
-      DynamicUser = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true;
-      PrivateIPC = true;
-      PrivateMounts = true;
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "strict";
-      RemoveIPC = true;
-      RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK"];
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = ["@system-service" "~@privileged"];
-      UMask = 077;
-    };
-  };
-}