diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 356707f..3b1ddf6 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -17,6 +17,7 @@
     (lib.extra.mkImports ./. [
       "dgn-access-control"
       "dgn-acme"
+      "dgn-audit"
       "dgn-backups"
       "dgn-console"
       "dgn-chatops"
diff --git a/modules/nixos/dgn-audit.nix b/modules/nixos/dgn-audit.nix
new file mode 100644
index 0000000..41d2a32
--- /dev/null
+++ b/modules/nixos/dgn-audit.nix
@@ -0,0 +1,88 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    mkIf
+    mkMerge
+    mkOption
+    ;
+
+  inherit (lib.types)
+    enum
+    ;
+
+  cfg = config.dgn-audit;
+in
+{
+  options.dgn-audit = {
+    audit-level = mkOption {
+      type = enum [
+        "disabled"
+        "normal"
+        "high"
+      ];
+      default = "normal";
+      description = ''
+        Level of auditing configuration.
+      '';
+    };
+  };
+  config = mkIf (cfg.audit-level != "disabled") {
+    security.audit = mkMerge [
+      {
+        backlogLimit = 8192;
+        rules = [
+          # toute les modifs de /etc
+          "-a exit,always -F arch=b64 -F dir=/etc -F perm=wa"
+          "-a exit,always -F arch=b32 -F dir=/etc -F perm=wa"
+
+          # toute les executions des binaires de kmod
+          "-a exit,always -F dir=${pkgs.kmod} -F perm=x"
+
+          # tout les mount/umount (on ignore systemd-executor qui en fait mass pour les credentials)
+          "-a exit,always -F exe!=${pkgs.systemd}/lib/systemd/systemd-executor -S mount,umount2"
+
+          # monitor des syscalls "louche", ou qui devrait rester rare
+          "-a exit,always -S ioperm,modify_ldt,get_kernel_syms,ptrace"
+          "-a exit,always -F arch=b64 -S init_module,delete_module,finit_module"
+          # TODO: filter on operation for prctl, else it's too hard on logging
+          # look PR_PAC_RESET_KEYS PR_SET_VMA PR_SET_PTRACER
+          # "-a exit,always -S prctl"
+        ];
+      }
+      (mkIf (cfg.audit-level == "high") {
+        enable = "lock";
+        failureMode = "panic";
+        rules = [
+          # tout les execve
+          "-a exit,always -F arch=b64 -S execve,execveat"
+          "-a exit,always -F arch=b32 -S execve,execveat"
+
+          # tout les unlink, renomage de truc ou suppression de dossier
+          "-a exit,always -F arch=b64 -S unlink,rmdir,rename"
+          # toute les creation/ouverture/troncature de fichier qui ont raté faute de droit
+          "-a exit,always -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES"
+        ];
+      })
+      (mkIf (cfg.audit-level == "normal") {
+        enable = true;
+        rules = [
+          # les execve priviligé
+          "-a exit,always -F arch=b64 -F uid=0 -S execve,execveat"
+          "-a exit,always -F arch=b32 -F uid=0 -S execve,execveat"
+          "-a exit,always -F arch=b64 -F euid=0 -S execve,execveat"
+          "-a exit,always -F arch=b32 -F euid=0 -S execve,execveat"
+        ];
+      })
+    ];
+    services.journald.audit = true;
+  };
+}