diff --git a/Makefile b/Makefile
index 739044c..2f75b75 100644
--- a/Makefile
+++ b/Makefile
@@ -7,7 +7,7 @@ MAN5DIR = $(DATADIR)/man/man5
 MAN8DIR = $(DATADIR)/man/man8
 SYSCONFDIR = /etc
 VARLIBDIR = /var/lib
-RUNSTATEDIR = /var/run
+RUNSTATEDIR = /run
 TARGET_DIR = ./target/$(TARGET)/release
 MAN_SRC_DIR = ./man/en
 MAN_DST_DIR = $(TARGET_DIR)/man
@@ -54,6 +54,7 @@ install:
 	    install -m 0644 $(TARGET_DIR)/man/acmed.toml.5.gz $(DESTDIR)$(MAN5DIR)/acmed.toml.5.gz; \
 	    install -m 0644 acmed/config/acmed.toml $(DESTDIR)$(SYSCONFDIR)/acmed/acmed.toml; \
 	    install -m 0644 acmed/config/default_hooks.toml $(DESTDIR)$(SYSCONFDIR)/acmed/default_hooks.toml; \
+	    install -m 0644 acmed/config/letsencrypt.toml $(DESTDIR)$(SYSCONFDIR)/acmed/letsencrypt.toml; \
 	fi
 	if test -f "$(TARGET_DIR)/tacd"; then \
 	    install -m 0755 $(TARGET_DIR)/tacd $(DESTDIR)$(BINDIR)/tacd; \
diff --git a/acmed/config/letsencrypt.toml b/acmed/config/letsencrypt.toml
index 80ea99a..47e6e3d 100644
--- a/acmed/config/letsencrypt.toml
+++ b/acmed/config/letsencrypt.toml
@@ -1,16 +1,16 @@
 [[rate-limit]]
-name = "LE min"
+name = "Let's Encrypt rate-limit"
 number = 20
 period = "1s"
 
 [[endpoint]]
-name = "letsencrypt v2 prod"
+name = "Let's Encrypt v2 production"
 url = "https://acme-v02.api.letsencrypt.org/directory"
-rate_limits = ["LE min"]
+rate_limits = ["Let's Encrypt rate-limit"]
 tos_agreed = false
 
 [[endpoint]]
 name = "letsencrypt v2 staging"
 url = "https://acme-staging-v02.api.letsencrypt.org/directory"
-rate_limits = ["LE min"]
+rate_limits = ["Let's Encrypt rate-limit"]
 tos_agreed = false
diff --git a/contrib/acmed.service b/contrib/acmed.service
new file mode 100644
index 0000000..228a449
--- /dev/null
+++ b/contrib/acmed.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=ACME client daemon
+After=network.target
+
+[Service]
+User=acmed
+Group=acmed
+
+# Working directory equals to User-Home
+#WorkingDirectory=/var/lib/acmed
+WorkingDirectory=/etc/acmed
+RuntimeDirectory=acmed
+
+# daemon handling: start, stop, timeouts
+#ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level debug --log-stderr
+ExecStart=/usr/bin/acmed --foreground --pid-file /run/acmed/acmed.pid --log-level warn
+TimeoutStartSec=3
+TimeoutStopSec=5
+Restart=on-failure
+KillSignal=SIGINT
+
+# Sandboxing: reduce privileges on filesystem and kernel-space
+# restrict write access to acmed's directories with variable data
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectHostname=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+ProtectSystem=strict
+ReadWritePaths=/etc/acmed /var/lib/acmed
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/acmed.service.example b/contrib/acmed.service.example
deleted file mode 100644
index 96c2bb9..0000000
--- a/contrib/acmed.service.example
+++ /dev/null
@@ -1,29 +0,0 @@
-# systemd example unit file. Please adjust.
-
-[Unit]
-Description=ACME client daemon
-After=network.target
-
-[Service]
-User=acmed
-Group=acmed
-
-# Working directory
-WorkingDirectory=/etc/acmed
-
-# Starting, stopping, timeouts
-ExecStart=/usr/local/bin/acmed --foreground --pid-file /etc/acmed/acmed.pid --log-level debug --log-stderr
-TimeoutStartSec=3
-TimeoutStopSec=5
-Restart=on-failure
-KillSignal=SIGINT
-
-# Sandboxing, reduce privileges, only allow write access to working directory
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateUsers=yes
-ProtectSystem=strict
-ReadWritePaths=/etc/acmed/
-
-[Install]
-WantedBy=multi-user.target
diff --git a/contrib/tmpfiles.d/acmed.conf b/contrib/tmpfiles.d/acmed.conf
new file mode 100644
index 0000000..0ae94fe
--- /dev/null
+++ b/contrib/tmpfiles.d/acmed.conf
@@ -0,0 +1,13 @@
+###
+# acmed:
+# running as sandboxed deamon (UID/GID) needs Read/Write access
+# preset runtime environment, if not restricted via systemd unit
+###
+
+#Type Path                               Mode User  Group Age Argument
+d     /run/acmed                        0755 acmed acmed -   -
+f     /run/acmed/acmed.pid              0644 acmed acmed -   -
+
+d     /var/lib/acmed                     0755 acmed acmed -   -
+d     /var/lib/acmed/accounts            0700 acmed acmed -   -
+d     /var/lib/acmed/certs               0755 acmed acmed -   -