diff --git a/roles/restic/files/restic-backup.service b/roles/restic/files/restic-backup.service
index 65ab554..0602368 100644
--- a/roles/restic/files/restic-backup.service
+++ b/roles/restic/files/restic-backup.service
@@ -10,3 +10,22 @@ Environment=RESTIC_PASSWORD_FILE=%d/restic.password
 Environment=XDG_CACHE_HOME=%C
 EnvironmentFile=-%E/restic/environment
 ExecStart=/usr/bin/restic backup --files-from %E/restic/include --exclude-file %E/restic/exclude --exclude-if-present .nobackup
+CacheDirectory=restic
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=%t
+ReadWritePaths=%T
+ReadWritePaths=%V
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+UMask=0077