diff --git a/setup_postinstall.sh b/setup_postinstall.sh
new file mode 100644
index 0000000..4ceb6c0
--- /dev/null
+++ b/setup_postinstall.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "=== Post-install hardening and VPN setup ==="
+[[ -f .env ]] && source .env || true
+
+sudo pacman -Syu --noconfirm ufw apparmor fail2ban wireguard-tools
+
+# ── Firewall ──
+sudo systemctl enable --now ufw
+sudo ufw --force reset
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+sudo ufw enable
+
+# ── AppArmor & Fail2ban ──
+sudo systemctl enable --now apparmor
+sudo systemctl enable --now fail2ban
+
+# ── Sysctl hardening ──
+sudo tee /etc/sysctl.d/99-hardening.conf >/dev/null <<'EOF'
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv4.tcp_syncookies = 1
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+kernel.randomize_va_space = 2
+EOF
+sudo sysctl --system
+
+# ── WireGuard (optional) ──
+if [[ "${ENABLE_WIREGUARD:-no}" =~ ^[Yy][Ee]?[Ss]?$ ]] && [[ -f "${WIREGUARD_CONF_PATH:-./wg0.conf}" ]]; then
+  echo "Setting up WireGuard..."
+  sudo install -Dm600 "$WIREGUARD_CONF_PATH" /etc/wireguard/wg0.conf
+  sudo systemctl enable --now wg-quick@wg0.service
+else
+  echo "WireGuard skipped (no config or disabled)."
+fi
+
+echo "✅ Post-install setup complete."