diff --git a/home/graphical/cliphist.nix b/home/graphical/cliphist.nix
index 6743284..4e173da 100644
--- a/home/graphical/cliphist.nix
+++ b/home/graphical/cliphist.nix
@@ -1,16 +1,25 @@
-{ lib, config, ... }:
+{
+  pkgs,
+  lib,
+  osConfig,
+  ...
+}:
 let
-  package = config.services.cliphist.package;
+  cfg = osConfig.modules.services.cliphist;
+  exec = pkgs.writers.writeBash "rofi-cliphist" {
+    makeWrapperArgs = [
+      "--prefix"
+      "PATH"
+      ":"
+      "${lib.makeBinPath [ pkgs.cliphist ]}"
+    ];
+  } "cliphist-rofi-img";
 in
 {
-  config = lib.mkIf config.services.cliphist.enable {
+  config = lib.mkIf cfg.enable {
     programs.rofi = {
       enable = true;
-      extraConfig = {
-        modes = [
-          "clipboard:${lib.my.checkPath package "cliphist-rofi-img"}"
-        ];
-      };
+      extraConfig.modes = [ "clipboard:${exec}" ];
     };
   };
 }
diff --git a/home/graphical/swww.nix b/home/graphical/swww.nix
index 8a5e974..9746a72 100644
--- a/home/graphical/swww.nix
+++ b/home/graphical/swww.nix
@@ -1,4 +1,10 @@
-{ self, pkgs, ... }:
+{
+  self,
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 {
   systemd.user.services.swww = {
     Install.WantedBy = [ "graphical-session.target" ];
@@ -10,22 +16,17 @@
     Service = {
       Type = "simple";
       ExecStart = "${pkgs.swww}/bin/swww-daemon";
+      ExecStartPost = "${pkgs.swww}/bin/swww img ${self + "/assets/landscape-pink-pastel.jpg"} -t wipe";
+
       Restart = "on-failure";
-    };
-  };
-
-  systemd.user.services.swww-set-background = {
-    Install.WantedBy = [ "graphical-session.target" ];
-
-    Unit = {
-      Wants = [ "graphical-session.target" ];
-      After = [ "graphical-session.target" ];
-    };
-
-    Service = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.swww}/bin/swww img ${self + "/assets/landscape-pink-pastel.jpg"} -t wipe";
-    };
+      ProtectHome = "tmpfs";
+      BindPaths = "/run/user /home/${config.home.username}/.cache/swww";
+      ProtectProc = "noaccess";
+      RestrictNamespaces = true;
+      CapabilityBoundingSet = "";
+      PrivateUsers = true;
+      RestrictAddressFamilies = "AF_UNIX";
+    } // lib.my.systemdHardening;
   };
 
   home.packages = [ pkgs.swww ];
diff --git a/hosts/brontes/default.nix b/hosts/brontes/default.nix
index c7dc120..cd6be3b 100644
--- a/hosts/brontes/default.nix
+++ b/hosts/brontes/default.nix
@@ -38,6 +38,7 @@
     };
 
     services = {
+      cliphist.enable = true;
       nysh.enable = true;
       tailscale = {
         enable = true;
@@ -60,7 +61,10 @@
     };
     media.enableAll = true;
   };
-
+  documentation = {
+    doc.enable = false;
+    man.generateCaches = false;
+  };
   services = {
     displayManager.sddm.enable = true;
     dbus.enable = true;
diff --git a/hosts/brontes/home.nix b/hosts/brontes/home.nix
index e71a13e..7d20d31 100644
--- a/hosts/brontes/home.nix
+++ b/hosts/brontes/home.nix
@@ -31,7 +31,6 @@
     services = {
       blueman-applet.enable = true;
       syncthing.enable = true;
-      cliphist.enable = true;
     };
 
     home = {
diff --git a/options/services/cliphist.nix b/options/services/cliphist.nix
new file mode 100644
index 0000000..1794f91
--- /dev/null
+++ b/options/services/cliphist.nix
@@ -0,0 +1,44 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.modules.services.cliphist;
+in
+{
+  options.modules.services.cliphist = {
+    enable = mkEnableOption "cliphist, a clipboard history manager for wayland";
+    package = lib.mkPackageOption pkgs "cliphist" { };
+    extraOptions = lib.mkOption {
+      type = with lib.types; listOf str;
+      default = [
+        "-max-items"
+        "250"
+      ];
+      description = ''
+        Flags to append to the cliphist command.
+      '';
+      apply = lib.escapeShellArgs;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.user.services.cliphist = {
+      description = "Clipboard management daemon";
+      partOf = [ "graphical-session.target" ];
+      wantedBy = [ "graphical-session.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.wl-clipboard}/bin/wl-paste --watch ${cfg.package}/bin/cliphist ${cfg.extraOptions} store";
+        Restart = "on-failure";
+      } // lib.my.systemdHardening;
+
+      postStop = "${cfg.package}/bin/cliphist wipe";
+    };
+  };
+}
diff --git a/options/services/default.nix b/options/services/default.nix
index 28a6722..807556c 100644
--- a/options/services/default.nix
+++ b/options/services/default.nix
@@ -3,5 +3,6 @@
     ./nysh.nix
     ./tailscale.nix
     ./rsync-backup
+    ./cliphist.nix
   ];
 }
diff --git a/parts/lib/functions.nix b/parts/lib/functions.nix
index 75aa683..f2b7aab 100644
--- a/parts/lib/functions.nix
+++ b/parts/lib/functions.nix
@@ -8,6 +8,27 @@ let
   inherit (lib) mkOption;
 in
 {
+
+  systemdHardening = {
+    IPAddressDeny = "any";
+    NoNewPrivileges = true;
+    ProtectSystem = "full";
+    PrivateDevices = true;
+    ProtectKernelTunables = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    MemoryDenyWriteExecute = true;
+    PrivateTmp = true;
+    LockPersonality = true;
+    RestrictRealtime = true;
+    DevicePolicy = "closed";
+    ProtectClock = true;
+    PrivateNetwork = true;
+    ProtectControlGroups = true;
+    SystemCallArchitectures = "native";
+  };
+
   # Verify the existence of a binary inside of a derivation.
   # Returns the path to the binary or throws.
   checkPath =