diff --git a/roles/aurweb/templates/aurweb-mkpkglists.service.j2 b/roles/aurweb/templates/aurweb-mkpkglists.service.j2
index b3a6c14ca9fad61de8f845ef5df82049e5b8da22..77e13541434b3421cb0859986cfc9e2bffc32cf6 100644
--- a/roles/aurweb/templates/aurweb-mkpkglists.service.j2
+++ b/roles/aurweb/templates/aurweb-mkpkglists.service.j2
@@ -7,3 +7,30 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 ExecStart=/usr/local/bin/aurweb-mkpkglists
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+ReadWritePaths={{ aurweb_dir }}
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=AF_UNIX
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native