diff --git a/hosts/by-name/servo/services/jackett/default.nix b/hosts/by-name/servo/services/jackett/default.nix
index 351c37b76..556cec02e 100644
--- a/hosts/by-name/servo/services/jackett/default.nix
+++ b/hosts/by-name/servo/services/jackett/default.nix
@@ -12,13 +12,25 @@ in
 
   systemd.services.jackett.after = [ "wireguard-wg-ovpns.service" ];
   systemd.services.jackett.partOf = [ "wireguard-wg-ovpns.service" ];
-  systemd.services.jackett.serviceConfig = {
+  systemd.services.jackett = {
     # run this behind the OVPN static VPN
-    NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
+    serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
+    serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
     # patch in `--ListenPublic` so that it's reachable from the netns veth.
     # this also makes it reachable from the VPN pub address. oh well.
-    ExecStart = lib.mkForce "${cfg.package}/bin/Jackett --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
+    serviceConfig.ExecStart = lib.mkForce "${cfg.package}/bin/Jackett --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
+    serviceConfig.RestartSec = "30s";
+
+    # hardening (systemd-analyze security jackett)
+    # TODO: upstream into nixpkgs
+    serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
+    # serviceConfig.MemoryDenyWriteExecute = true;  #< Failed to create CoreCLR, HRESULT: 0x80004005
+    serviceConfig.PrivateDevices = true;
+    serviceConfig.PrivateMounts = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProcSubset = "pid";
   };
 
   # jackett torrent search