diff --git a/debian/conffiles b/debian/conffiles
new file mode 100644
index 0000000000000000000000000000000000000000..9617f9dfd7b47d097c538f0f6a669a2d922462a4
--- /dev/null
+++ b/debian/conffiles
@@ -0,0 +1 @@
+#/etc/prometheus-hcloud-exporter/
diff --git a/prometheus-hcloud-exporter@.service b/prometheus-hcloud-exporter@.service
index 96c412586bc3fc17276c3bed7462bf62cb54b00a..fed4be081e25b5d0aa5a4c0bb65bdf67661442ec 100644
--- a/prometheus-hcloud-exporter@.service
+++ b/prometheus-hcloud-exporter@.service
@@ -1,9 +1,37 @@
 [Unit]
 Description=Prometheus exporter for hetzner cloud metrics
+After=network.target
 
 [Service]
+
 Restart=always
-DynamicUser=yes
+RestartSec=10
+
+DynamicUser=true
+PrivateUsers=true
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RemoveIPC=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+ProtectHostname=true
+ProtectProc=noaccess
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+MemoryDenyWriteExecute=true
+
 EnvironmentFile=/etc/prometheus-hcloud-exporter/%i.env
 ExecStart=/usr/bin/prometheus-hcloud-exporter $ARGS
 ExecReload=/bin/kill -HUP $MAINPID