systemd offers lots of low-effort features for hardening services, but they're only slowly gaining adoption even though they are relatively simple to use. I'd like to introduce the essential options for hardening a systemd service, taking into account some interesting possibilities that arise when at least parts of the system are completely immutable, such as on NixOS.