diff --git a/nixos/boxes/vpsfree1/default.nix b/nixos/boxes/vpsfree1/default.nix
index 5cb139fa..a88894e4 100644
--- a/nixos/boxes/vpsfree1/default.nix
+++ b/nixos/boxes/vpsfree1/default.nix
@@ -6,6 +6,7 @@
     ./tailscale-vpsfree1.nix
     ../cli.nix
     ../../server-security.nix
+    ../../server-common.nix
     ../../tailscale.nix
   ];
 
@@ -18,4 +19,3 @@
 
   nix.buildCores = 7;
 }
-
diff --git a/nixos/boxes/vultr1/default.nix b/nixos/boxes/vultr1/default.nix
index 46816591..974aa6bc 100644
--- a/nixos/boxes/vultr1/default.nix
+++ b/nixos/boxes/vultr1/default.nix
@@ -11,6 +11,7 @@
     ./snowflake.nix
     ../cli.nix
     ../../server-security.nix
+    ../../server-common.nix
     ../../tailscale.nix
   ];
 
diff --git a/nixos/security.nix b/nixos/security.nix
index 01bf42a1..90c6a2cf 100644
--- a/nixos/security.nix
+++ b/nixos/security.nix
@@ -1,14 +1,18 @@
 { config, pkgs, lib, ... }: {
+  networking.firewall.checkReversePath = "loose";
+  networking.firewall.enable = true;
+
   nix.allowedUsers = [ "@users" ];
-  security.lockKernelModules = false;
-  security.protectKernelImage = true;
-  security.forcePageTableIsolation = true;
-  security.virtualisation.flushL1DataCache = "always";
+
   security.apparmor.enable = true;
   security.apparmor.killUnconfinedConfinables = true;
-  networking.firewall.enable = true;
+  security.forcePageTableIsolation = true;
+  security.lockKernelModules = false;
+  security.protectKernelImage = true;
+  security.virtualisation.flushL1DataCache = "always";
   services.clamav.daemon.enable = true;
   services.clamav.updater.enable = true;
+
   boot.kernelParams =
     [ "slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1" ];
 
diff --git a/nixos/server-common.nix b/nixos/server-common.nix
new file mode 100644
index 00000000..e62a1248
--- /dev/null
+++ b/nixos/server-common.nix
@@ -0,0 +1 @@
+{ config, pkgs, ... }: { system.stateVersion = "22.05"; }
diff --git a/nixos/server-security.nix b/nixos/server-security.nix
index c7354115..e026b1ea 100644
--- a/nixos/server-security.nix
+++ b/nixos/server-security.nix
@@ -8,7 +8,7 @@ let
   ];
 in {
   imports = [ ./security.nix ];
-  security.acme.email = "admin@cyplo.dev";
+  security.acme.defaults.email = "admin@cyplo.dev";
   security.acme.acceptTerms = true;
 
   services.fail2ban.enable = true;