diff --git a/flake.nix b/flake.nix
index 2d5ac83..6fac546 100644
--- a/flake.nix
+++ b/flake.nix
@@ -341,13 +341,19 @@
                 enable = cfg.enable;
                 serviceConfig = {
                   Type = "simple";
-                  User = "anycast-healthchecker";
                   Group = "bird2";
-                  DynamicUser = true;
+                  User = "bird2";
                   RuntimeDirectory = "anycast-healthchecker";
                   StateDirectory = "anycast-healthchecker";
                   ExecStart = "${package}/bin/anycast-healthchecker --file ${conf} --dir ${conf_d}";
                   Restart = "on-failure";
+                  MemoryDenyWriteExecute = true;
+                  PrivateDevices = true;
+                  PrivateTmp = true;
+                  ProtectControlGroups = true;
+                  ProtectHome = true;
+                  ProtectKernelTunables = true;
+                  ProtectSystem = "full";
                 };
                 wantedBy = ["multi-user.target"];
               };