diff --git a/nixos/modules/restricted-service.nix b/nixos/modules/restricted-service.nix
index 8911c1d602ab19c0390bf87b576c8358d539f871..93401799559ec35082ffe1018bfbb1b32d103ccf 100644
--- a/nixos/modules/restricted-service.nix
+++ b/nixos/modules/restricted-service.nix
@@ -1,8 +1,15 @@
+# Provide secure defaults for systemd services
+#
+# Good reads:
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+# https://docs.arbitrary.ch/security/systemd.html
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+
 {
   DynamicUser = true;
 
   # This set of restrictions is mostly dervied from
-  # - running `systemd-analyze security zkap-spending-service.service
+  # - running `systemd-analyze security zkap-spending-service.service`
   # - Looking at the restrictions from the nixos nginx config.
   AmbientCapabilities = "";
   CapabilityBoundingSet = "";