Change systemd options

nix/module.nix

@@ -31,8 +31,11 @@ in
         ExecStart = "${pkgs.labmon}/bin/labmon ${settingsFile}";
         DynamicUser = true;
         Restart = "always";
+        RuntimeDirectory = "labmon";
+        RuntimeDirectoryMode = "0700";
 
         # Hardening
+        DeviceAllow = [ "/dev/null rw" ];
         DevicePolicy = "strict";
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
@@ -53,6 +56,7 @@ in
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
+          "AF_UNIX"
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;