diff --git a/hardening/opensnitch/default.nix b/hardening/opensnitch/default.nix
index 2b8e6cb..5c0293b 100644
--- a/hardening/opensnitch/default.nix
+++ b/hardening/opensnitch/default.nix
@@ -46,8 +46,10 @@ in
     networking.nftables.enable = true;
 
     # security.audit.enable = true;
-    systemd.services.opensnitchd.path = lib.optional (config.services.opensnitch.settings.ProcMonitorMethod == "audit") pkgs.audit.bin;
-    
+    systemd.services.opensnitchd.path = lib.optional (
+      config.services.opensnitch.settings.ProcMonitorMethod == "audit"
+    ) pkgs.audit.bin;
+
     services.opensnitch = {
       enable = true;
       settings = {
diff --git a/hardening/systemd/global/default.nix b/hardening/systemd/global/default.nix
index d232675..65572f2 100644
--- a/hardening/systemd/global/default.nix
+++ b/hardening/systemd/global/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./hostname.nix
     ./clock.nix
+    ./realtime.nix
   ];
 }
diff --git a/hardening/systemd/global/realtime.nix b/hardening/systemd/global/realtime.nix
new file mode 100644
index 0000000..53aaea9
--- /dev/null
+++ b/hardening/systemd/global/realtime.nix
@@ -0,0 +1,27 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkDefault types mkIf;
+in
+{
+  options.systemd.services = lib.mkOption {
+    type =
+      let
+        osConfig = config;
+      in
+      types.attrsOf (
+        lib.types.submodule {
+          config.serviceConfig = mkIf (osConfig.specialisation != { }) {
+            RestrictRealtime = mkDefault true;
+          };
+        }
+
+      );
+  };
+
+  config = mkIf (config.specialisation != { }) {
+
+    systemd.services = {
+      rtkit-daemon.serviceConfig.RestrictRealtime = false;
+    };
+  };
+}
diff --git a/hardening/systemd/tty.nix b/hardening/systemd/tty.nix
index a677428..0dd1476 100644
--- a/hardening/systemd/tty.nix
+++ b/hardening/systemd/tty.nix
@@ -3,16 +3,32 @@
   config.systemd.services = lib.mkIf (config.specialisation != { }) {
     "getty@".serviceConfig = {
 
-      #CapabilityBoundingSet =[
-      #  "CAP_SYS_TTY_CONFIGCAP_LEASE"
-      #];
+      CapabilityBoundingSet = [
+        "CAP_CHOWN"
+        "CAP_FOWNER"
+        "CAP_FSETID"
+        "CAP_SETGID"
+        "CAP_SETUID"
+        "CAP_SYS_NICE"
+        "CAP_SYS_RESOURCE"
+        "CAP_SYS_TTY_CONFIG"
+      ];
 
       # NoNewPrivileges = true;
-      RestrictNamespaces = "pid";
+
+      RestrictNamespaces = [
+        "~pid"
+        "~user"
+        "~net"
+        "~uts"
+        "~mnt"
+        "~cgroup"
+        "~ipc"
+      ];
 
       ProtectControlGroups = true;
       ProtectHome = false;
-      ProtectClock = false;
+      #      ProtectClock = true;
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
       MemoryDenyWriteExecute = true;
@@ -20,7 +36,6 @@
       SystemCallArchitectures = "native";
       SystemCallFilter = lib.mkForce "@system-service";
       LockPersonality = true;
-      #RestrictRealtime=true;
       ProtectProc = "invisible";
 
       # PrivateUsers=true;
diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix
index 91c0983..f2617a1 100644
--- a/specific/grimm-nixos-ssd/configuration.nix
+++ b/specific/grimm-nixos-ssd/configuration.nix
@@ -30,7 +30,7 @@
   grimmShared = {
     tooling = {
       enable = true;
-#      pass = true;
+      #      pass = true;
     };
     gaming = true;
     portals = true;