diff --git a/data/systemd/CMakeLists.txt b/data/systemd/CMakeLists.txt
index 397ccc4..e4a01e2 100644
--- a/data/systemd/CMakeLists.txt
+++ b/data/systemd/CMakeLists.txt
@@ -3,5 +3,3 @@ if (NOT DEFINED SYSTEMD_SYSTEM_UNIT_DIR)
     pkg_check_modules(Systemd REQUIRED systemd)
     pkg_get_variable(SYSTEMD_SYSTEM_UNIT_DIR systemd systemduserunitdir)
 endif()
-
-install(FILES override.conf DESTINATION ${SYSTEMD_SYSTEM_UNIT_DIR}/seatd.service.d/)
diff --git a/data/systemd/override.conf b/data/systemd/override.conf
deleted file mode 100644
index 19f348d..0000000
--- a/data/systemd/override.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-[Service]
-Environment=SEATD_VTBOUND=0
-ExecStart=
-ExecStart=seatd -u dde -g dde -l debug
diff --git a/services/CMakeLists.txt b/services/CMakeLists.txt
index d584fae..c8bee4d 100644
--- a/services/CMakeLists.txt
+++ b/services/CMakeLists.txt
@@ -2,6 +2,9 @@ if(SYSTEMD_FOUND)
     configure_file(ddm.service.in ddm.service)
     install(FILES "${CMAKE_CURRENT_BINARY_DIR}/ddm.service" DESTINATION "${SYSTEMD_SYSTEM_UNIT_DIR}")
 
+    configure_file(seatd-dde.service.in seatd-dde.service)
+    install(FILES "${CMAKE_CURRENT_BINARY_DIR}/seatd-dde.service" DESTINATION "${SYSTEMD_SYSTEM_UNIT_DIR}")
+
     configure_file(ddm-sysuser.conf.in ddm-sysuser.conf)
     install(FILES "${CMAKE_CURRENT_BINARY_DIR}/ddm-sysuser.conf" DESTINATION "${SYSTEMD_SYSUSERS_DIR}" RENAME dde.conf)
 endif()
diff --git a/services/ddm.service.in b/services/ddm.service.in
index 6231442..143bc7b 100644
--- a/services/ddm.service.in
+++ b/services/ddm.service.in
@@ -7,8 +7,8 @@ PartOf=graphical.target
 StartLimitIntervalSec=30
 StartLimitBurst=2
 
-Requires=seatd.service
-Before=seatd.service
+Requires=seatd-dde.service
+Before=seatd-dde.service
 
 [Service]
 ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/ddm
diff --git a/services/seatd-dde.service.in b/services/seatd-dde.service.in
new file mode 100644
index 0000000..a0f9358
--- /dev/null
+++ b/services/seatd-dde.service.in
@@ -0,0 +1,62 @@
+[Unit]
+Description=Seat management daemon for DDE
+Documentation=man:seatd(1)
+Conflicts=seatd.service
+
+[Service]
+Type=simple
+Environment=SEATD_VTBOUND=0
+ExecStart=seatd -u dde -g dde
+Restart=always
+RestartSec=1
+
+# Filesystem lockdown
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectControlGroups=true
+PrivateTmp=true
+ProtectProc=invisible
+ProcSubset=pid
+UMask=0077
+
+# Privilege escalation
+NoNewPrivileges=true
+RestrictSUIDSGID=true
+
+# Network
+PrivateNetwork=true
+IPAddressDeny=any
+
+# System call interfaces
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+
+# Kernel
+ProtectKernelLogs=true
+ProtectKernelModules=true
+LockPersonality=true
+
+# Namespaces
+RestrictNamespaces=true
+
+# Service capabilities
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_SYS_TTY_CONFIG CAP_DAC_OVERRIDE
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+ProtectClock=true
+ProtectHostname=true
+
+# Devices
+DevicePolicy=strict
+DeviceAllow=char-/dev/console rw
+DeviceAllow=char-drm rw
+DeviceAllow=char-input rw
+DeviceAllow=char-tty rw
+DeviceAllow=/dev/null rw
+
+[Install]
+WantedBy=multi-user.target