diff --git a/cmd/dwelling-home/main.go b/cmd/dwelling-home/main.go
index 4aa0caa..a4432ad 100644
--- a/cmd/dwelling-home/main.go
+++ b/cmd/dwelling-home/main.go
@@ -21,11 +21,11 @@ import (
 var version string
 
 var showVersion *bool = flag.Bool("v", false, "show version")
-var listenAddress *string = flag.String("l", "/var/run/dwelling-home/sock", "listen address (ip:port|unix_path)")
-var captchaExpiry *time.Duration = flag.Duration("ce", 10*time.Minute, "CAPTCHA expiry (e.g. 5m, 60s)")
-var guestbookOwner *string = flag.String("gbo", "Admin", "name of a guestbook owner")
-var guestbookPageSize *int64 = flag.Int64("gbp", 60, "size of a guestbook page")
-var databasesPath *string = flag.String("db", "/var/lib/dwelling-home", "path to a directory where to store DB files")
+var listenAddress *string = flag.String("listen", "/var/run/dwelling-home/sock", "listen address (ip:port|unix_path)")
+var captchaExpiry *time.Duration = flag.Duration("captcha-expiry", 10*time.Minute, "CAPTCHA expiry (e.g. 5m, 60s)")
+var guestbookOwner *string = flag.String("guestbook-owner", "Admin", "name of a guestbook owner")
+var guestbookPageSize *int64 = flag.Int64("guestbook-page-size", 60, "size of a guestbook page")
+var databasesPath *string = flag.String("database-path", "/var/lib/dwelling-home", "path to a directory where to store DB files")
 
 func main() {
 	flag.Parse()
diff --git a/init/systemd.service b/init/systemd.service
index f63b6f0..1df27b5 100644
--- a/init/systemd.service
+++ b/init/systemd.service
@@ -6,7 +6,9 @@ After=network-online.target
 Type=simple
 Restart=on-failure
 DynamicUser=yes
-ExecStart=/usr/bin/dwelling-home -l /var/run/dwelling-home/sock -db /var/lib/dwelling-home -ce 10m -gbo Arav -gbp 60
+ExecStart=/usr/bin/dwelling-home -listen /var/run/dwelling-home/sock \
+    -database-path /var/lib/dwelling-home -captcha-expiry 10m \
+    -guestbook-owner Arav -guestbook-page-size 60
 
 ReadOnlyPaths=/
 
@@ -20,18 +22,33 @@ LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
+ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=noaccess
 ProtectSystem=strict
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
 
 [Install]
 WantedBy=multi-user.target
\ No newline at end of file