diff --git a/module.nix b/module.nix
index 3e11613..065a42c 100644
--- a/module.nix
+++ b/module.nix
@@ -100,6 +100,45 @@ in
           ExecStart = "${lib.getExe cfg.package} ${lib.cli.toGNUCommandLineShell { } cfg.settings}";
           Restart = "always";
           RestartSec = 3;
+
+          IPAddressDeny =
+            lib.optionals (lib.elem cfg.settings.host [ null "localhost" "127.0.0.1" ]) [ "any" ];
+
+          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+
+          AmbientCapabilities = [ "" ];
+          CapabilityBoundingSet = [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          # Might work, but wouldn't bet on it with embedded scripting lang in mpv
+          MemoryDenyWriteExecute = false;
+          NoNewPrivileges = true;
+          # MPV and mesa tries to talk directly to the GPU.
+          PrivateDevices = false;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = "tmpfs";
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          UMask = "0077";
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged"
+            "~@resources"
+          ];
         };
       };
     })