diff --git a/modules/nixos/services/wezterm-mux-server.nix b/modules/nixos/services/wezterm-mux-server.nix
index f4053b23..765fdbfe 100644
--- a/modules/nixos/services/wezterm-mux-server.nix
+++ b/modules/nixos/services/wezterm-mux-server.nix
@@ -46,9 +46,17 @@ in
         RestrictRealtime = true;
         ProtectClock = true;
         ProtectKernelLogs = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectHome = true;
         ProtectHostname = true;
         ProtectControlGroups = true;
         ProtectProc = "invisible";
+        ProcSubset = "pid";
+
+        RuntimeDirectory = "wezterm";
+        CacheDirectory = "wezterm";
+        StateDirectory = "wezterm";
 
         # Filtering system calls.
         SystemCallFilter = [