diff --git a/nixos/modules/spending.nix b/nixos/modules/spending.nix
index 32470b4689725f64d1e341ebdaa1d5a59b34c74b..238fbe8f939c4ddb0c78b9a34e106dbea8e39921 100644
--- a/nixos/modules/spending.nix
+++ b/nixos/modules/spending.nix
@@ -54,6 +54,58 @@ in
         serviceConfig.Restart = "always";
         serviceConfig.Type = "simple";
 
+        # Use a unnamed user.
+        serviceConfig.DynamicUser = true;
+
+        serviceConfig = {
+          # Work around https://twistedmatrix.com/trac/ticket/10261
+          # Create a runtime directory so that the service has permission
+          # to change the mode on the socket.
+          RuntimeDirectory = "zkap-spending-service";
+
+          # This set of restrictions is mostly dervied from
+          # - running `systemd-analyze security zkap-spending-service.service
+          # - Looking at the restrictions from the nixos nginx config.
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateNetwork = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = "AF_UNIX";
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          # Lines starting with "~" are deny-list the others are allow-list
+          # Since the first line is allow, that bounds the set of allowed syscalls
+          # and the further lines restrict it.
+          SystemCallFilter = [
+            # From systemd.exec(5), @system-service is "A reasonable set of
+            # system calls used by common system [...]"
+            "@system-service"
+            # This is from the nginx config, except that `@ipc` is not removed,
+            # since twisted uses a self-pipe.
+            "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
+          ];
+          Umask = "0077";
+        };
+
         script = let
           httpArgs = "--http-endpoint systemd:domain=UNIX:index=0";
         in