diff --git a/systemd/system/certbot-renew.service.d/local.conf b/systemd/system/certbot-renew.service.d/local.conf
index 0ca435f..7afb0a1 100644
--- a/systemd/system/certbot-renew.service.d/local.conf
+++ b/systemd/system/certbot-renew.service.d/local.conf
@@ -1,2 +1,28 @@
 [Service]
+CapabilityBoundingSet=
+CPUSchedulingPolicy=batch
 ExecStart=/usr/bin/certbot -q renew --no-random-sleep-on-renew
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/certbot
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources @obsolete
diff --git a/systemd/system/certbot-renew.service.d/mail.grapheneos.org.conf b/systemd/system/certbot-renew.service.d/mail.grapheneos.org.conf
new file mode 100644
index 0000000..2f70388
--- /dev/null
+++ b/systemd/system/certbot-renew.service.d/mail.grapheneos.org.conf
@@ -0,0 +1,4 @@
+[Service]
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+PrivateUsers=false