diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix
index e155a41..daf1355 100644
--- a/modules/nix-bitcoin-services.nix
+++ b/modules/nix-bitcoin-services.nix
@@ -21,6 +21,10 @@ with lib;
       LockPersonality = "true";
       IPAddressDeny = "any";
       PrivateUsers = "true";
+      RestrictSUIDSGID = "true";
+      RemoveIPC = "true";
+      RestrictRealtime = "true";
+      ProtectHostname = "true";
       CapabilityBoundingSet = "";
       # @system-service whitelist and docker seccomp blacklist (except for "clone"
       # which is a core requirement for systemd services)