diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix
index 612c6c9..629eb81 100644
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@@ -38,7 +38,7 @@ in {
           User = "clightning";
           Restart = "on-failure";
           RestartSec = "10s";
-      } // nix-bitcoin-services.defaultHardening;
+      } // nix-bitcoin-services.nodeHardening;
     };
   };
 }
diff --git a/modules/nanopos.nix b/modules/nanopos.nix
index ef1d356..67c872d 100644
--- a/modules/nanopos.nix
+++ b/modules/nanopos.nix
@@ -74,7 +74,7 @@ in {
         User = "nanopos";
         Restart = "on-failure";
         RestartSec = "10s";
-      } // nix-bitcoin-services.defaultHardening;
+      } // nix-bitcoin-services.nodeHardening;
     };
   };
 }
diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix
index c4fac75..c3150df 100644
--- a/modules/nix-bitcoin-services.nix
+++ b/modules/nix-bitcoin-services.nix
@@ -1,11 +1,22 @@
-{
+let
   defaultHardening = {
       PrivateTmp = "true";
       ProtectSystem = "full";
+      ProtectHome = "true";
       NoNewPrivileges = "true";
       PrivateDevices = "true";
       MemoryDenyWriteExecute = "true";
+      ProtectKernelTunables = "true";
+      ProtectKernelModules = "true";
+      ProtectControlGroups = "true";
+      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+      LockPersonality = "true";
   };
+in
+{
+  inherit defaultHardening;
+  # node applications apparently rely on memory write execute
+  nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; };
 }
 
 
diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix
index 7ed7a64..817c377 100644
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@@ -64,7 +64,7 @@ in {
         User = "clightning";
         Restart = "on-failure";
         RestartSec = "10s";
-      } // nix-bitcoin-services.defaultHardening;
+      } // nix-bitcoin-services.nodeHardening;
     };
   };
 }