diff --git a/flake.nix b/flake.nix
index b1db1dc..35b19c1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,6 +12,14 @@
 
       config.systemd.services.boddle = lib.mkIf config.services.boddle.enable {
         script = lib.getExe pkgs.boddle;
+        confinement.enable = true;
+        unitConfig.conditionPathExists = [
+          "/var/lib/boddle/boddle.toml"
+          "/var/lib/boddle/boddle.db"
+        ];
+        serviceConfig.WorkingDirectory = "/var/lib/boddle";
+        serviceConfig.StateDirectory = "/var/lib/boddle";
+        serviceConfig.DynamicUser = true;
       };
     };