diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index 7658934..5abd8e0 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -335,6 +335,36 @@ in
             SupplementaryGroups = [ "systemd-journal" ];
 
             StateDirectory = "crowdsec";
+
+            # PrivateTmp = true;
+            # PrivateUsers = true;
+            # ProtectHome = true;
+            # CapabilityBoundingSet = [ ];
+            # LockPersonality = true;
+            # PrivateDevices = true;
+            # ProtectHostname = true;
+            # ProtectKernelTunables = true;
+            # ProtectKernelModules = true;
+            # ProtectControlGroups = true;
+
+            # NoNewPrivileges = true;
+            # RestrictSUIDSGID = true;
+
+            # ProtectProc = "invisible";
+            # ProcSubset = "pid"; # Needed for journal access
+
+            # RestrictNamespaces = true;
+            # RestrictRealtime = true;
+
+            # SystemCallFilter = [
+            #   "@system-service"
+            #   "@network-io"
+            # ];
+            # SystemCallArchitectures = [ "native" ];
+            # SystemCallErrorNumber = "EPERM";
+
+            # ExecPaths = [ "/nix/store" ];
+            # NoExecPaths = [ "/" ];
           };
         };
       };