diff --git a/pkgs/co2_exporter/module.nix b/pkgs/co2_exporter/module.nix
index a01312b..23f93ba 100644
--- a/pkgs/co2_exporter/module.nix
+++ b/pkgs/co2_exporter/module.nix
@@ -38,7 +38,12 @@ in
 
         # systemd-analyze --no-pager security co2_exporter.service
         DynamicUser = true;
-        # FIXME
+        CapabilityBoundingSet = null;
+        PrivateUsers = true;
+        ProtectHome = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        SystemCallFilter = "@system-service";
       };
     };
   };