diff --git a/hardening/systemd/acpid.nix b/hardening/systemd/acpid.nix
new file mode 100644
index 0000000..2b5f259
--- /dev/null
+++ b/hardening/systemd/acpid.nix
@@ -0,0 +1,27 @@
+{ lib, config, ... }:
+{
+  config.systemd.services = lib.mkIf (config.specialisation != { }) {
+    acpid.serviceConfig = {
+      CapabilityBoundingSet = [
+       ""
+       ];
+      NoNewPrivileges = true;
+      RestrictNamespaces = "pid";
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      MemoryDenyWriteExecute = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      LockPersonality = true;
+      ProtectHostname=true;
+      ProtectSystem=true;
+      PrivateUsers=true;
+      PrivateNetwork=true;
+      RestrictRealtime=true;
+      IPAddressAllow=[];
+      RestrictAddressFamilies="AF_NETLINK AF_UNIX";
+    };
+  };
+}
diff --git a/hardening/systemd/auditd.nix b/hardening/systemd/auditd.nix
new file mode 100644
index 0000000..4d650c7
--- /dev/null
+++ b/hardening/systemd/auditd.nix
@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+{
+  config.systemd.services = lib.mkIf (config.specialisation != { }) {
+    auditd.serviceConfig = {
+      # CapabilityBoundingSet = [ "CAP_AUDIT_*" "CAP_SYSLOG" "CAP_SYS_NICE" "CAP_SYS_PACCT" "CAP_SYS_PTRACE" ];
+      NoNewPrivileges = true;
+      RestrictNamespaces = "pid";
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      MemoryDenyWriteExecute = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      LockPersonality = true;
+      ProtectHostname=true;
+      ProtectSystem=true;
+      # PrivateUsers=true;
+      # PrivateNetwork=true;
+      RestrictRealtime=true;
+      IPAddressAllow=[];
+      RestrictAddressFamilies="AF_NETLINK";
+    };
+  };
+}
diff --git a/hardening/systemd/cups.nix b/hardening/systemd/cups.nix
new file mode 100644
index 0000000..bf75cbc
--- /dev/null
+++ b/hardening/systemd/cups.nix
@@ -0,0 +1,28 @@
+{ lib, config, ... }:
+{
+  config.systemd.services = lib.mkIf (config.specialisation != { }) {
+    cups.serviceConfig = {
+      #CapabilityBoundingSet = [
+      # ""
+      #];
+      NoNewPrivileges = true;
+      RestrictNamespaces = "pid";
+      
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      MemoryDenyWriteExecute = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      LockPersonality = true;
+      ProtectHostname=true;
+      RestrictRealtime=true;
+      
+      # PrivateUsers=true;
+      # PrivateNetwork=true;
+      # RestrictAddressFamilies="AF_UNIX";
+      # ProtectSystem=true;
+    };
+  };
+}
diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix
index 4b17dce..9422df7 100644
--- a/hardening/systemd/default.nix
+++ b/hardening/systemd/default.nix
@@ -15,6 +15,9 @@ in
   imports = [
     ./NetworkManager.nix
     ./wpa_supplicant.nix
+    ./auditd.nix
+    ./acpid.nix
+    ./cups.nix
   ];
 
   options.systemd.services = lib.mkOption {