diff --git a/nixos/modules/system/boot/systemd/shutdown.nix b/nixos/modules/system/boot/systemd/shutdown.nix
index b42aaf5a0d32..ef2491a2d7ca 100644
--- a/nixos/modules/system/boot/systemd/shutdown.nix
+++ b/nixos/modules/system/boot/systemd/shutdown.nix
@@ -71,9 +71,21 @@ in
 
       serviceConfig = {
         Type = "oneshot";
+        ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs";
+
+        # Sandboxing
         ProtectSystem = "strict";
         ReadWritePaths = "/run/initramfs";
-        ExecStart = "${pkgs.makeInitrdNGTool}/bin/make-initrd-ng ${ramfsContents} /run/initramfs";
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        PrivateNetwork = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
       };
     };
   };