diff --git a/daemon/CMakeLists.txt b/daemon/CMakeLists.txt
index 9a966b09d..bad22a479 100644
--- a/daemon/CMakeLists.txt
+++ b/daemon/CMakeLists.txt
@@ -52,4 +52,10 @@ foreach(P daemon)
             FILES ${TR_NAME}-${P}.1
             DESTINATION ${CMAKE_INSTALL_MANDIR}/man1)
     endif()
+
+    if (WITH_SYSTEMD)
+        install(
+            FILES ${TR_NAME}-${P}.service
+            DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
+    endif()
 endforeach()
diff --git a/daemon/transmission-daemon.service b/daemon/transmission-daemon.service
index eaf3d8515..2fceede17 100644
--- a/daemon/transmission-daemon.service
+++ b/daemon/transmission-daemon.service
@@ -8,10 +8,31 @@ User=transmission
 Type=notify
 ExecStart=/usr/bin/transmission-daemon -f --log-level=error
 ExecReload=/bin/kill -s HUP $MAINPID
+
+# Hardening
+CapabilityBoundingSet=
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=true
 NoNewPrivileges=true
 MemoryDenyWriteExecute=true
-ProtectSystem=true
 PrivateTmp=true
+PrivateDevices=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=true
+SystemCallFilter=@system-service
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target