commit - 2c18e9a7f803ff74613354c8912eddd79fa0ed5c
commit + 2a52befa56eec493d4179c1568c7e6cd26d9ae23
blob - b71eef2b178f885fd0e06b678a0b04881c506d1e
blob + f24ef60c320824f065ad46c7e9bb76ca90c3f3fc
--- contrib/ngircd.service
+++ contrib/ngircd.service
@@ -4,8 +4,19 @@ After=network.target
 
 [Service]
 Type=forking
+User=irc
+Group=irc
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_NET_BIND_SERVICE
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=true
+NoNewPrivileges=true
+RuntimeDirectory=ircd
+RuntimeDirectoryMode=750
 ExecStart=/usr/sbin/ngircd
 ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target