diff --git a/nixos/modules/restricted-service.nix b/nixos/modules/restricted-service.nix
index 8127149b9addb3eb555bf71fcb3dbfb5612d9f9b..8911c1d602ab19c0390bf87b576c8358d539f871 100644
--- a/nixos/modules/restricted-service.nix
+++ b/nixos/modules/restricted-service.nix
@@ -1,48 +1,45 @@
 {
-  serviceConfig.DynamicUser = true;
+  DynamicUser = true;
 
-  serviceConfig = {
-
-    # This set of restrictions is mostly dervied from
-    # - running `systemd-analyze security zkap-spending-service.service
-    # - Looking at the restrictions from the nixos nginx config.
-    AmbientCapabilities = "";
-    CapabilityBoundingSet = "";
-    LockPersonality = true;
-    MemoryDenyWriteExecute = true;
-    NoNewPrivileges = true;
-    PrivateDevices = true;
-    PrivateMounts = true;
-    PrivateNetwork = true;
-    PrivateTmp = true;
-    PrivateUsers = true;
-    ProcSubset = "pid";
-    ProtectClock = true;
-    ProtectControlGroups = true;
-    ProtectHome = true;
-    ProtectHostname = true;
-    ProtectKernelLogs = true;
-    ProtectKernelModules = true;
-    ProtectKernelTunables = true;
-    ProtectProc = "invisible";
-    ProtectSystem = "strict";
-    RemoveIPC = true;
-    RestrictAddressFamilies = "AF_UNIX";
-    RestrictNamespaces = true;
-    RestrictRealtime = true;
-    RestrictSUIDSGID = true;
-    SystemCallArchitectures = "native";
-    # Lines starting with "~" are deny-list the others are allow-list
-    # Since the first line is allow, that bounds the set of allowed syscalls
-    # and the further lines restrict it.
-    SystemCallFilter = [
-      # From systemd.exec(5), @system-service is "A reasonable set of
-      # system calls used by common system [...]"
-      "@system-service"
-      # This is from the nginx config, except that `@ipc` is not removed,
-      # since twisted uses a self-pipe.
-      "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
-    ];
-    Umask = "0077";
-  };
+  # This set of restrictions is mostly dervied from
+  # - running `systemd-analyze security zkap-spending-service.service
+  # - Looking at the restrictions from the nixos nginx config.
+  AmbientCapabilities = "";
+  CapabilityBoundingSet = "";
+  LockPersonality = true;
+  MemoryDenyWriteExecute = true;
+  NoNewPrivileges = true;
+  PrivateDevices = true;
+  PrivateMounts = true;
+  PrivateNetwork = true;
+  PrivateTmp = true;
+  PrivateUsers = true;
+  ProcSubset = "pid";
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  ProtectHome = true;
+  ProtectHostname = true;
+  ProtectKernelLogs = true;
+  ProtectKernelModules = true;
+  ProtectKernelTunables = true;
+  ProtectProc = "invisible";
+  ProtectSystem = "strict";
+  RemoveIPC = true;
+  RestrictAddressFamilies = "AF_UNIX";
+  RestrictNamespaces = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  SystemCallArchitectures = "native";
+  # Lines starting with "~" are deny-list the others are allow-list
+  # Since the first line is allow, that bounds the set of allowed syscalls
+  # and the further lines restrict it.
+  SystemCallFilter = [
+    # From systemd.exec(5), @system-service is "A reasonable set of
+    # system calls used by common system [...]"
+    "@system-service"
+    # This is from the nginx config, except that `@ipc` is not removed,
+    # since twisted uses a self-pipe.
+    "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"
+  ];
+  Umask = "0077";
 }
diff --git a/nixos/modules/spending.nix b/nixos/modules/spending.nix
index 4c5563da5f11c6ca778c5f0dad36460383af66d5..0b9a63be1021d9833de350b6cee9870ad2fb137c 100644
--- a/nixos/modules/spending.nix
+++ b/nixos/modules/spending.nix
@@ -40,22 +40,22 @@ in
         wantedBy = [ "sockets.target" ];
         listenStreams = [ cfg.unixSocket ];
       };
+
       # Add a systemd service to run zkap-spending-service.
       systemd.services.zkap-spending-service = {
         enable = true;
         description = "ZKAP Spending Service";
         wantedBy = [ "multi-user.target" ];
 
-        serviceConfig.NonBlocking = true;
+        serviceConfig = (import ./restricted-service.nix) // {
+          NonBlocking = true;
 
-        # It really shouldn't ever exit on its own!  If it does, it's a bug
-        # we'll have to fix.  Restart it and hope it doesn't happen too much
-        # before we can fix whatever the issue is.
-        serviceConfig.Restart = "always";
-        serviceConfig.Type = "simple";
+          # It really shouldn't ever exit on its own!  If it does, it's a bug
+          # we'll have to fix.  Restart it and hope it doesn't happen too much
+          # before we can fix whatever the issue is.
+          Restart = "always";
+          Type = "simple";
 
-        imports = [ ./restricted-service.nix ];
-        serviceConfig = {
           # Work around https://twistedmatrix.com/trac/ticket/10261
           # Create a runtime directory so that the service has permission
           # to change the mode on the socket.