diff --git a/common.nix b/common.nix
index f1236e2..20facff 100644
--- a/common.nix
+++ b/common.nix
@@ -4,6 +4,7 @@
     inputs.serokell-nix.nixosModules.serokell-users
     inputs.vault-secrets.nixosModules.vault-secrets
     inputs.serokell-nix.nixosModules.wireguard-monitoring
+    inputs.serokell-nix.lib.systemd.hardenServices
   ];
 
   networking.domain = "gemini.serokell.team";
diff --git a/servers/alzirr/deployment.nix b/servers/alzirr/deployment.nix
index 691562d..1c8fed3 100644
--- a/servers/alzirr/deployment.nix
+++ b/servers/alzirr/deployment.nix
@@ -39,6 +39,28 @@ in
       User = "sweater";
       Group = "users";
       ExecStart = "${swampwalk2-profile}/bin/swampwalk-server";
+
+      # hardening options
+      CapabilityBoundingSet = [
+        "CAP_CHOWN"
+        "CAP_SETUID"
+        "CAP_SETGID"
+        "CAP_FOWNER"
+        "CAP_DAC_OVERRIDE"
+      ];
+      AmbientCapabilities = [ "" ];
+      DeviceAllow = "no";
+      KeyringMode = "private";
+      NotifyAccess = "none";
+      PrivateMounts = "yes";
+      PrivateTmp = "yes";
+      ProtectControlGroups = "yes";
+      ProtectProc = "invisible";
+      SupplementaryGroups = [ "" ];
+      Delegate = "no";
+      RemoveIPC = "yes";
+      UMask = "0027";
+      ProcSubset = "pid";
     };
   };