diff --git a/options/services/nysh.nix b/options/services/nysh.nix
index d60861c..7059d20 100644
--- a/options/services/nysh.nix
+++ b/options/services/nysh.nix
@@ -24,15 +24,21 @@ in
         "multi-user.target"
         "graphical-session.target"
       ];
+      partOf = [ "graphical-session.target" ];
+      after = [ "graphical-session-pre.target" ];
 
-      unitConfig = {
-        After = [ "graphical-session-pre.target" ];
-        PartOf = [ "graphical-session.target" ];
-      };
       serviceConfig = {
         Type = "simple";
         ExecStart = "/bin/sh -lc ${cfg.package}/bin/nysh";
         Restart = "on-failure";
+
+        NoNewPrivileges = true;
+        PrivateMounts = true;
+        ProtectHostname = true;
+        ProtectKernelTunables = true;
+        ProtectProc = true;
+        PrivateTmp = true;
+        IPAddressDeny = "any";
       };
     };
   };