diff --git a/nix/apps/does-it-build/default.nix b/nix/apps/does-it-build/default.nix
index a4dafa3..7941ae7 100644
--- a/nix/apps/does-it-build/default.nix
+++ b/nix/apps/does-it-build/default.nix
@@ -3,7 +3,6 @@ let
   does-it-build-base = (import (pkgs.fetchFromGitHub my-projects-versions.does-it-build.fetchFromGitHub)) { inherit pkgs; };
   does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
     DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build.commit;
-    RUSTFLAGS = "-Cforce-frame-pointers=true";
   });
 in
 {
diff --git a/nix/apps/widetom/default.nix b/nix/apps/widetom/default.nix
index d9fcc07..c7372fd 100644
--- a/nix/apps/widetom/default.nix
+++ b/nix/apps/widetom/default.nix
@@ -8,7 +8,6 @@ let
     meta = {
       mainProgram = "widertom";
     };
-    RUSTFLAGS = "-Cforce-frame-pointers=true";
   };
 in
 {
@@ -32,21 +31,6 @@ in
     serviceConfig = {
       DynamicUser = true;
       ExecStart = lib.getExe widetom;
-      PrivateDevices = true;
-      ProtectHome = true;
-      ProtectClock = true;
-      ProtectKernelLogs = true;
-      ProtectHostname = true;
-      ProtectKernelTunables = true;
-      CapabilityBoundingSet = "";
-      ProtectProc = "noaccess";
-      RestrictNamespaces = true;
-      MemoryDenyWriteExecute = true;
-      ProtectControlGroups = true;
-      ProtectKernelModules = true;
-      SystemCallArchitectures = "";
-      SystemCallFilter = "@system-service";
-      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
     };
   };
 
diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix
index b14b5ab..4138af9 100644
--- a/nix/modules/default/default.nix
+++ b/nix/modules/default/default.nix
@@ -188,22 +188,6 @@ in
   };
   systemd.services.alloy.serviceConfig = {
     DynamicUser = lib.mkForce false;
-    PrivateDevices = true;
-    ProtectClock = true;
-    ProtectKernelLogs = true;
-    PrivateMounts = true;
-    ProtectControlGroups = true;
-    ProtectHostname = true;
-    LockPersonality = true;
-    ProtectKernelTunables = true;
-    ProtectSystem = true;
-    ProtectHome = true;
-    PrivateTmp = true;
-    NoNewPrivileges = true;
-    RestrictNamespaces = "";
-    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
-    # TODO: find what's required for /proc/kallsyms (it should be CAP_SYSLOG!)
-    # CapabilityBoundingSet = "CAP_SYS_PTRACE CAP_BPF CAP_SYSLOG";
   };
   environment.etc."alloy/config.alloy".text = ''
     discovery.process "all" {
diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json
index 4d92766..e63baef 100644
--- a/nix/nixpkgs.json
+++ b/nix/nixpkgs.json
@@ -1,5 +1,5 @@
 {
   "channel": "nixos-25.05",
-  "lastUpdated": "2025-08-18T18:47:54.435Z",
-  "commit": "48f4c982de68d966421d2b6f1ddbeb6227cc5ceb"
+  "lastUpdated": "2025-08-03T11:42:11.747Z",
+  "commit": "59e69648d345d6e8fef86158c555730fa12af9de"
 }