diff --git a/handlers/main.yml b/handlers/main.yml
index 8fd12c3..b5edc68 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -2,6 +2,6 @@
   loop: "{{ systemd.services }}"
   systemd:
         name: '{{ item.name }}'
-        enabled: "{% if item.enabled %}yes{% else %}no{% endif %}"
+        enabled: "{% if item.enabled|default(false) %}yes{% else %}no{% endif %}"
         state: "{{ item.action }}"
-        daemon_reload: "{% if item.daemon_reload %}yes{% else %}no{% endif %}"
+        daemon_reload: "{% if item.daemon_reload|default(false) %}yes{% else %}no{% endif %}"
diff --git a/templates/transmission-daemon.service.j2 b/templates/transmission-daemon.service.j2
new file mode 100644
index 0000000..f98cc00
--- /dev/null
+++ b/templates/transmission-daemon.service.j2
@@ -0,0 +1,30 @@
+[Unit]
+StartLimitIntervalSec=0
+
+[Service]
+User=root
+DynamicUser=true
+
+Restart=always
+RestartSec=10
+
+ProtectSystem=strict
+PrivateUsers=true
+NoNewPrivileges=yes
+
+ReadWritePaths={{ transmission.root_dir }}
+BindReadOnlyPaths=/usr /lib /lib64
+TemporaryFileSystem=/:ro
+Environment=TRANSMISSION_HOME={{ transmission.root_dir }}/.config
+
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+PrivateTmp=yes
+PrivateDevices=yes