diff --git a/systems/jeeves/runners/nix_builder.nix b/systems/jeeves/runners/nix_builder.nix
index 3c75c19..c4fc905 100644
--- a/systems/jeeves/runners/nix_builder.nix
+++ b/systems/jeeves/runners/nix_builder.nix
@@ -28,6 +28,8 @@ in
     name: cfg:
     mkIf cfg.enable {
       autoStart = true;
+      privateNetwork = true;
+      ephemeral = true;
       bindMounts = {
         storage = {
           mountPoint = "/zfs/media/github-runners/${name}";
@@ -38,7 +40,10 @@ in
           hostPath = "/nix/var/nix/daemon-socket";
           isReadOnly = false;
         };
-        secrets.mountPoint = "${vars.secrets}/services/github-runners/${name}";
+        secrets = {
+          mountPoint = "${vars.secrets}/services/github-runners/${name}";
+          isReadOnly = true;
+        };
       };
       config =
         {
@@ -68,6 +73,12 @@ in
               "flakes"
               "nix-command"
             ];
+            sandbox = true;
+            allowed-users = [ "github-runners" ];
+            trusted-users = [
+              "root"
+              "github-runners"
+            ];
           };
           nixpkgs = {
             overlays = builtins.attrValues outputs.overlays;