diff --git a/contrib/init/dogecoind.local.service b/contrib/init/dogecoind.local.service
new file mode 100644
index 000000000..66d84b75d
--- /dev/null
+++ b/contrib/init/dogecoind.local.service
@@ -0,0 +1,73 @@
+# This variant of the unit file is for local installations that are installed with `make install`.
+#
+# The relevant paths are:
+#
+#/usr/local/bin/dogecoind
+#/usr/local/etc/dogecoin/
+#/var/local/dogecoin/
+
+[Unit]
+Description=Dogecoin's distributed currency daemon
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/dogecoind -conf=/usr/local/etc/dogecoin/dogecoin.conf -datadir=/var/local/dogecoin
+
+KillSignal=SIGINT
+Restart=always
+RestartSec=5
+TimeoutStopSec=60
+TimeoutStartSec=5
+StartLimitIntervalSec=120
+StartLimitBurst=5
+
+User=dogecoin
+Group=dogecoin
+
+### Restrict resource consumption
+MemoryAccounting=yes
+MemoryLimit=3g
+
+### Restrict access to host file system.
+#
+# Hide the entire root file system by default, and *only* mount in exactly what is needed.
+#
+
+TemporaryFileSystem=/:ro
+
+# Add core dependencies
+BindReadOnlyPaths=/etc/ /lib/ /lib64/
+
+# Add daemon paths
+BindReadOnlyPaths=/usr/local/bin/dogecoind /usr/local/etc/dogecoin/
+BindPaths=/var/local/dogecoin/
+
+### Restrict access to system.
+
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+DevicePolicy=closed
+ProtectHome=true
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+
+# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
+# since it remounts root as read only over the top.
+# In this case, do not enable ProtectSystem.
+#ProtectSystem=strict
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/init/dogecoind.opt.service b/contrib/init/dogecoind.opt.service
new file mode 100644
index 000000000..42cb73f45
--- /dev/null
+++ b/contrib/init/dogecoind.opt.service
@@ -0,0 +1,74 @@
+# This variant of the unit file is for "opt" add-on installations that do not form part of the default installation.
+# (i.e. out of band installations by the user, not installed by a system package manager like "apt")
+#
+# The relevant paths are:
+#
+#/opt/dogecoin/dogecoind
+#/etc/opt/dogecoin/
+#/var/opt/dogecoin/
+
+[Unit]
+Description=Dogecoin's distributed currency daemon
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/dogecoin/bin/dogecoind -conf=/etc/opt/dogecoin/dogecoin.conf -datadir=/var/opt/dogecoin
+
+KillSignal=SIGINT
+Restart=always
+RestartSec=5
+TimeoutStopSec=60
+TimeoutStartSec=5
+StartLimitIntervalSec=120
+StartLimitBurst=5
+
+User=dogecoin
+Group=dogecoin
+
+### Restrict resource consumption
+MemoryAccounting=yes
+MemoryLimit=3g
+
+### Restrict access to host file system.
+#
+# Hide the entire root file system by default, and *only* mount in exactly what is needed.
+#
+
+TemporaryFileSystem=/:ro
+
+# Add core dependencies
+BindReadOnlyPaths=/etc/ /lib/ /lib64/
+
+# Add daemon paths
+BindReadOnlyPaths=/opt/dogecoin/ /etc/opt/dogecoin/
+BindPaths=/var/opt/dogecoin/
+
+### Restrict access to system.
+
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+DevicePolicy=closed
+ProtectHome=true
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+
+# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
+# since it remounts root as read only over the top.
+# In this case, do not enable ProtectSystem.
+#ProtectSystem=strict
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/init/dogecoind.service b/contrib/init/dogecoind.service
index 159222280..1a9ac80c3 100644
--- a/contrib/init/dogecoind.service
+++ b/contrib/init/dogecoind.service
@@ -1,22 +1,73 @@
+# This variant of the unit file is for package installations.
+#
+# The relevant paths are:
+#
+#/usr/bin/dogecoind
+#/etc/dogecoin/
+#/var/lib/dogecoin/
+
 [Unit]
 Description=Dogecoin's distributed currency daemon
 After=network.target
 
 [Service]
+Type=simple
+ExecStart=/usr/bin/dogecoind -conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoin
+
+KillSignal=SIGINT
+Restart=always
+RestartSec=5
+TimeoutStopSec=60
+TimeoutStartSec=5
+StartLimitIntervalSec=120
+StartLimitBurst=5
+
 User=dogecoin
 Group=dogecoin
 
-Type=forking
-PIDFile=/var/lib/dogecoind/dogecoind.pid
-ExecStart=/usr/bin/dogecoind -daemon -pid=/var/lib/dogecoind/dogecoind.pid \
--conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoind -disablewallet
+### Restrict resource consumption
+MemoryAccounting=yes
+MemoryLimit=3g
 
-Restart=always
+### Restrict access to host file system.
+#
+# Hide the entire root file system by default, and *only* mount in exactly what is needed.
+#
+
+TemporaryFileSystem=/:ro
+
+# Add core dependencies
+BindReadOnlyPaths=/etc/ /lib/ /lib64/
+
+# Add daemon paths
+BindReadOnlyPaths=/usr/bin/dogecoind /etc/dogecoin/
+BindPaths=/var/lib/dogecoin
+
+### Restrict access to system.
+
+NoNewPrivileges=true
 PrivateTmp=true
-TimeoutStopSec=60s
-TimeoutStartSec=2s
-StartLimitInterval=120s
-StartLimitBurst=5
+PrivateDevices=true
+PrivateUsers=true
+DevicePolicy=closed
+ProtectHome=true
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectClock=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+
+# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
+# since it remounts root as read only over the top.
+# In this case, do not enable ProtectSystem.
+#ProtectSystem=strict
 
 [Install]
 WantedBy=multi-user.target