diff --git a/contrib/systemd/bookwyrm-scheduler.service b/contrib/systemd/bookwyrm-scheduler.service
index f3572f632..1d5b05214 100644
--- a/contrib/systemd/bookwyrm-scheduler.service
+++ b/contrib/systemd/bookwyrm-scheduler.service
@@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
 [Service]
 User=bookwyrm
 Group=bookwyrm
-WorkingDirectory=/opt/bookwyrm/
+WorkingDirectory=/opt/bookwyrm
 ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
 StandardOutput=journal
 StandardError=inherit
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
+PrivateTmp=yes
+TemporaryFileSystem=/var /run /opt
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=/opt/bookwyrm
+BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
+LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
 
 [Install]
 WantedBy=multi-user.target
diff --git a/contrib/systemd/bookwyrm-worker.service b/contrib/systemd/bookwyrm-worker.service
index ebba8b6ca..b9406a66e 100644
--- a/contrib/systemd/bookwyrm-worker.service
+++ b/contrib/systemd/bookwyrm-worker.service
@@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
 [Service]
 User=bookwyrm
 Group=bookwyrm
-WorkingDirectory=/opt/bookwyrm/
+WorkingDirectory=/opt/bookwyrm
 ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
 StandardOutput=journal
 StandardError=inherit
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
+PrivateTmp=yes
+TemporaryFileSystem=/var /run /opt
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=/opt/bookwyrm
+BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
+LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
 
 [Install]
 WantedBy=multi-user.target
diff --git a/contrib/systemd/bookwyrm.service b/contrib/systemd/bookwyrm.service
index c7ebe26ec..6e9434aa3 100644
--- a/contrib/systemd/bookwyrm.service
+++ b/contrib/systemd/bookwyrm.service
@@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
 [Service]
 User=bookwyrm
 Group=bookwyrm
-WorkingDirectory=/opt/bookwyrm/
+WorkingDirectory=/opt/bookwyrm
 ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000
 StandardOutput=journal
 StandardError=inherit
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
+PrivateTmp=yes
+TemporaryFileSystem=/var /run /opt
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=/opt/bookwyrm
+BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
+LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
 
 [Install]
 WantedBy=multi-user.target