diff --git a/synapse-module/default.nix b/synapse-module/default.nix
index c4c3fde..3b56446 100644
--- a/synapse-module/default.nix
+++ b/synapse-module/default.nix
@@ -450,6 +450,45 @@ in
           in "${wrapped}/bin/synapse_homeserver ${flags}";
           ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
           Restart = "on-failure";
+
+          CapabilityBoundingSet = [ "" ];
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          ReadWritePaths = [
+            cfg.dataDir
+            cfg.settings.media_store_path
+          ]
+          ++ (map (listener: dirOf listener.path) (
+            lib.filter (listener: listener.path != null) cfg.settings.listeners
+          ));
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@resources"
+            "~@privileged"
+          ];
         };
       };
     };
diff --git a/synapse-module/workers.nix b/synapse-module/workers.nix
index b068011..b0a20ec 100644
--- a/synapse-module/workers.nix
+++ b/synapse-module/workers.nix
@@ -394,6 +394,45 @@ in {
               keys-directory = cfg.dataDir;
             };
           in "${wrapped}/bin/synapse_worker ${flags}";
+
+          CapabilityBoundingSet = [ "" ];
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          ReadWritePaths = [
+            cfg.dataDir
+            cfg.settings.media_store_path
+          ]
+          ++ (map (listener: dirOf listener.path) (
+            lib.filter (listener: listener.path != null) cfg.settings.listeners
+          ));
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@resources"
+            "~@privileged"
+          ];
         };
       };
     }));