diff --git a/assets/systemd/muscl.service b/assets/systemd/muscl.service
index 44172bb..beff2ca 100644
--- a/assets/systemd/muscl.service
+++ b/assets/systemd/muscl.service
@@ -16,7 +16,6 @@ Group=muscl
 DynamicUser=yes
 
 ConfigurationDirectory=muscl
-# RuntimeDirectory=muscl
 
 # This is required to read unix user/group details.
 PrivateUsers=false
diff --git a/nix/module.nix b/nix/module.nix
index 90cc0df..9e0b679 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -113,6 +113,17 @@ in
            "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID"
         ];
 
+        RuntimeDirectory = "muscl/root-mnt";
+        RuntimeDirectoryMode = "0700";
+        RootDirectory = "/run/muscl/root-mnt";
+        BindReadOnlyPaths = [
+          builtins.storeDir
+          "/etc"
+        ]
+        ++ lib.optionals (cfg.settings.mysql.socket_path != null) [
+          cfg.settings.mysql.socket_path
+        ];
+
         IPAddressDeny = "any";
         IPAddressAllow = [
           "127.0.0.0/8"