diff --git a/base.nix b/base.nix
index 9733a7f..a53336e 100644
--- a/base.nix
+++ b/base.nix
@@ -82,6 +82,47 @@
       (!config.boot.isContainer or false)
     ]) true;
 
+  systemd.services.thermald = lib.mkIf config.services.thermald.enable {
+    documentation = [ "man:thermald(8)" "man:thermal-conf.xml(5)" ];
+    unitConfig.ConditionVirtualization = "no";
+
+    serviceConfig = {
+      PrivateUsers = true;
+      PrivateNetwork = true;
+
+      # AmbientCapabilities = [ "" ];
+      # CapabilityBoundingSet = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      # PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = "yes";
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true; #?
+      ProtectProc = "invisible"; #?
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      UMask = "0777";
+      RestrictNamespaces = true;
+      # RestrictRealtime = true; #?
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SocketBindDeny = [ "any" ];
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "~@resources"
+      ];
+    };
+  };
+
   services.openssh = {
     enable = true;
     extraConfig = ''