diff --git a/nixos/gui/default.nix b/nixos/gui/default.nix
index 9bfd4b37..af5b5883 100644
--- a/nixos/gui/default.nix
+++ b/nixos/gui/default.nix
@@ -3,6 +3,19 @@ let
   unstable = inputs.nixpkgs-nixos-unstable.legacyPackages.${pkgs.system};
 in
 {
+  programs.firejail.enable = true;
+
+  programs.firejail.wrappedBinaries = {
+    firefox = {
+      executable = "${pkgs.lib.getBin pkgs.firefox}/bin/firefox";
+      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+    };
+    chromium = {
+      executable = "${pkgs.lib.getBin pkgs.chromium}/bin/chromium";
+      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";
+    };
+  };
+
   home-manager.users.cyryl = { ... }: {
     gtk = {
       enable = true;
diff --git a/nixos/home-manager/programs.nix b/nixos/home-manager/programs.nix
index 30334391..dbfe351a 100644
--- a/nixos/home-manager/programs.nix
+++ b/nixos/home-manager/programs.nix
@@ -17,7 +17,6 @@
     };
     taskwarrior.enable = true;
     fzf.enable = true;
-    chromium.enable = true;
     go.enable = true;
     bat.enable = true;
     browserpass.enable = true;
diff --git a/nixos/i3/default.nix b/nixos/i3/default.nix
index 6aed06e6..244772dd 100644
--- a/nixos/i3/default.nix
+++ b/nixos/i3/default.nix
@@ -42,7 +42,6 @@
       ./home.nix
     ];
     home.packages = with pkgs; [
-      firefox
     ];
   };
 }
diff --git a/nixos/security.nix b/nixos/security.nix
index b646bfe6..7490abca 100644
--- a/nixos/security.nix
+++ b/nixos/security.nix
@@ -8,6 +8,9 @@
   security.apparmor.enable = true;
   services.haveged.enable = true;
   networking.firewall.enable = true;
+  services.clamav.daemon.enable = true;
+  services.clamav.updater.enable = true;
+  security.chromiumSuidSandbox.enable = true;
   boot.kernelParams = [
     "page_poison=1"
     "page_alloc.shuffle=1"