diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix
index 4e7946b..91bd8a7 100644
--- a/modules/actual-server/default.nix
+++ b/modules/actual-server/default.nix
@@ -3,7 +3,7 @@
   ...
 }:
 {
-  systemd.user.services.actual-server = {
+  systemd.services.actual-server = {
     enable = true;
     after = [ "network.target" ];
     wantedBy = [ "multi-user.target" ];
@@ -18,4 +18,41 @@
       RestartSec = 3;
     };
   };
+
+  # hardening
+  DynamicUser = true;
+  DevicePolicy = "closed";
+  CapabilityBoundingSet = "";
+  RestrictAddressFamilies = [
+    "AF_INET"
+    "AF_INET6"
+    "AF_UNIX"
+    "AF_NETLINK"
+  ];
+  DeviceAllow = "";
+  NoNewPrivileges = true;
+  PrivateDevices = true;
+  PrivateMounts = true;
+  PrivateTmp = true;
+  PrivateUsers = true;
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  ProtectHome = true;
+  ProtectKernelLogs = true;
+  ProtectKernelModules = true;
+  ProtectKernelTunables = true;
+  ProtectSystem = "strict";
+  LockPersonality = true;
+  RemoveIPC = true;
+  RestrictNamespaces = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  SystemCallArchitectures = "native";
+  SystemCallFilter = [
+    "@system-service"
+    "~@resources"
+  ];
+  ProtectProc = "invisible";
+  ProtectHostname = true;
+  UMask = "0077";
 }