diff --git a/etc/systemd/system/certbot-ocsp-fetcher.service b/etc/systemd/system/certbot-ocsp-fetcher.service
index 97f8d12..9034fc9 100644
--- a/etc/systemd/system/certbot-ocsp-fetcher.service
+++ b/etc/systemd/system/certbot-ocsp-fetcher.service
@@ -1,14 +1,57 @@
 [Unit]
-Description=Automatic OCSP Fetcher
-After=docker.service
-Requires=network-online.target
-Requires=docker.service
+Description=Fetch OCSP responses for all certificates issued with Certbot
 
 [Service]
-User=root
-Group=root
-ExecStart=/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache
 Type=oneshot
 
-[Install]
-WantedBy=multi-user.target
\ No newline at end of file
+Restart=on-failure
+
+CacheDirectory=%N
+
+User=root
+Group=root
+ExecStart=%N --no-reload-webserver -o /var/cache/certbot-ocsp-fetcher
+ExecStartPost=systemctl reload nginx.service
+
+RestartSec=5
+PrivateDevices=true
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateIPC=true
+
+NoNewPrivileges=true
+LockPersonality=true
+
+CapabilityBoundingSet=
+ProtectHome=yes
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectHostname=true
+RemoveIPC=true
+
+RestrictAddressFamilies=AF_INET6 AF_INET AF_UNIX
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+DevicePolicy=strict
+DeviceAllow=/dev/random r
+DeviceAllow=/dev/urandom r
+DeviceAllow=/dev/stdin r
+DeviceAllow=/dev/stdout r
+DeviceAllow=/dev/null w
+
+ProtectSystem=strict
+InaccessiblePaths=/root/
+ReadOnlyPaths=/etc/letsencrypt
+UMask=0077
+
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@clock @debug @module @mount @reboot @swap @resources @cpu-emulation @raw-io @obsolete @keyring @privileged