diff --git a/service.go b/service.go
index a752684..18803c1 100644
--- a/service.go
+++ b/service.go
@@ -29,6 +29,31 @@ func installService() {
 		unit.NewUnitOption("Service", "ExecStart", executable+" service"),
 		unit.NewUnitOption("Service", "SuccessExitStatus", "15"),
 		unit.NewUnitOption("Service", "Restart", "on-failure"),
+		unit.NewUnitOption("Service", "DynamicUser", "yes"),
+		unit.NewUnitOption("Service", "SupplementaryGroups", "docker"),
+		unit.NewUnitOption("Service", "CapabilityBoundingSet", ""),
+		unit.NewUnitOption("Service", "DevicePolicy", "closed"),
+		unit.NewUnitOption("Service", "IPAddressDeny", "any"),
+		unit.NewUnitOption("Service", "LockPersonality", "yes"),
+		unit.NewUnitOption("Service", "MemoryDenyWriteExecute", "yes"),
+		unit.NewUnitOption("Service", "NoNewPrivileges", "yes"),
+		unit.NewUnitOption("Service", "PrivateDevices", "yes"),
+		unit.NewUnitOption("Service", "PrivateNetwork", "yes"),
+		unit.NewUnitOption("Service", "PrivateUsers", "yes"),
+		unit.NewUnitOption("Service", "ProtectClock", "yes"),
+		unit.NewUnitOption("Service", "ProtectControlGroups", "yes"),
+		unit.NewUnitOption("Service", "ProtectHome", "yes"),
+		unit.NewUnitOption("Service", "ProtectHostname", "yes"),
+		unit.NewUnitOption("Service", "ProtectKernelLogs", "yes"),
+		unit.NewUnitOption("Service", "ProtectKernelModules", "yes"),
+		unit.NewUnitOption("Service", "ProtectKernelTunables", "yes"),
+		unit.NewUnitOption("Service", "RestrictAddressFamilies", "AF_UNIX"),
+		unit.NewUnitOption("Service", "RestrictNamespaces", "yes"),
+		unit.NewUnitOption("Service", "RestrictRealtime", "yes"),
+		unit.NewUnitOption("Service", "SystemCallArchitectures", "native"),
+		unit.NewUnitOption("Service", "SystemCallErrorNumber", "EPERM"),
+		unit.NewUnitOption("Service", "SystemCallFilter", "@system-service"),
+		unit.NewUnitOption("Service", "UMask", "0777"),
 		unit.NewUnitOption("Install", "WantedBy", "docker.service"),
 	})