diff --git a/flake.nix b/flake.nix
index c25e88d..415726d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,37 +12,43 @@
     }:
     let
       forAllSystems =
-        func: nixpkgs.lib.genAttrs (import systems) (system: func (import nixpkgs { inherit system; }));
+        func:
+        nixpkgs.lib.genAttrs (import systems) (system: func (import nixpkgs { inherit system; }) system);
     in
     {
-      devShells = forAllSystems (pkgs: {
-        default = pkgs.mkShell {
-          packages = with pkgs; [
-            cargo
-            rustc
-            rust-analyzer
-            rustfmt
-            clippy
-          ];
-        };
-      });
-      packages = forAllSystems (pkgs: {
-        default = self.packages.${pkgs.system}.yoke;
-        yoke = pkgs.rustPlatform.callPackage ./nix/package.nix {
-          features = [
-            "cli"
-          ];
-        };
-        yoke-lite = pkgs.rustPlatform.callPackage ./nix/package.nix { };
-      });
+      devShells = forAllSystems (
+        pkgs: sys: {
+          default = pkgs.mkShell {
+            packages = with pkgs; [
+              cargo
+              rustc
+              rust-analyzer
+              rustfmt
+              clippy
+            ];
+          };
+        }
+      );
+      packages = forAllSystems (
+        pkgs: sys: {
+          default = self.packages.${pkgs.system}.yoke;
+          yoke = pkgs.rustPlatform.callPackage ./nix/package.nix {
+            features = [
+              "cli"
+            ];
+          };
+          yoke-lite = pkgs.rustPlatform.callPackage ./nix/package.nix { };
+        }
+      );
       nixosModules.default =
         { pkgs, lib, ... }:
+        let
+          sys = pkgs.stdenv.hostPlatform.system;
+        in
         {
-          config = {
-            imports = [ ./nix/module.nix ];
-            wrapperPkg = self.packages.${pkgs.system}.yoke-lite;
-            environment.systemPackages = [ self.packages.${pkgs.system}.yoke ];
-          };
+          imports = [ ./nix/module.nix ];
+          security.yoke.wrapperPkg = self.packages.${sys}.yoke-lite;
+          environment.systemPackages = [ self.packages.${sys}.yoke ];
         };
     };
 }
diff --git a/nix/module.nix b/nix/module.nix
index 11bfa6f..dce86e2 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -32,19 +32,37 @@ let
         type = types.bool;
         default = false;
       };
-      additionalPaths = mkOption {
+      pathRules = mkOption {
         type = types.listOf types.str;
         default = [ ];
       };
+      tcpRules = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      unrestrictTcp = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      unrestrictSockets = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      unrestrictSignals = mkOption {
+        type = types.bool;
+        default = false;
+      };
     };
   };
 in
 {
   options = {
-    wrappers = mkOption {
-      type = types.attrsOf wrapperType;
+    security.yoke = {
+      wrappers = mkOption {
+        type = types.attrsOf wrapperType;
+      };
+      wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; };
     };
-    wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; };
   };
   config =
     let
@@ -54,7 +72,8 @@ in
           envs = lib.concatStringsSep " " (
             lib.mapAttrsToList (n: v: "${n}=${lib.concatStringsSep ":" v}") opts.env
           );
-          extra = lib.concatStringsSep " " opts.additionalPaths;
+          extraPaths = lib.concatStringsSep " " opts.pathRules;
+          tcpRules = lib.concatStringsSep " " opts.tcpRules;
           sandboxArgs = pkgs.stdenvNoCC.mkDerivation {
             name = "${name}-opts";
             __structuredAttrs = true;
@@ -68,8 +87,9 @@ in
               echo -n "--fs rx=" > $out
               jq -r '.closure[].path' < "$NIX_ATTRS_JSON_FILE" \
                 | tr '\n' ':' | sed 's/:$//' >> $out
-              ${if (lib.length opts.additionalPaths != 0) then "echo -n ' ${extra}' >> $out" else ""}
-              ${if (strNotEmpty envs) then "echo -n ' --env ${envs}' >> $out" else ""}
+              ${lib.optionalString (lib.length opts.pathRules != 0) "echo -n ' ${extraPaths}' >> $out"}
+              ${lib.optionalString (lib.length opts.tcpRules != 0) "echo -n ' --tcp ${tcpRules}' >> $out"}
+              ${lib.optionalString (strNotEmpty envs) "echo -n ' --env ${envs}' >> $out"}
             '';
           };
           command = lib.getExe' opts.package (
@@ -78,9 +98,12 @@ in
           wrappedArgs = lib.concatStringsSep " " opts.args;
           script = ''
             #! /usr/bin/env bash
-            ${lib.getExe' config.wrapperPkg "yoke"} \
-              ${if opts.addPwd then "--fs rwx=$PWD" else ""} \
-              ${if opts.retainEnv then "--retain-env" else ""} \
+            ${lib.getExe' config.security.yoke.wrapperPkg "yoke"} \
+              ${lib.optionalString opts.addPwd "--fs rwx=$PWD"} \
+              ${lib.optionalString opts.retainEnv "--retain-env"} \
+              ${lib.optionalString opts.unrestrictTcp "--no-tcp"} \
+              ${lib.optionalString opts.unrestrictSockets "--sockets"} \
+              ${lib.optionalString opts.unrestrictSignals "--signals"} \
               --fd-args -- \
               ${command} \
               ${wrappedArgs} $@ \
@@ -90,6 +113,6 @@ in
         pkgs.writeScriptBin "${name}" script;
     in
     {
-      environment.systemPackages = lib.mapAttrsToList wrap config.wrappers;
+      environment.systemPackages = lib.mapAttrsToList wrap config.security.yoke.wrappers;
     };
 }