diff --git a/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf b/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..ab51a69b
--- /dev/null
+++ b/etc/systemd/system/boot-efi.mount.d/50_security-misc.conf
@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid
diff --git a/etc/systemd/system/boot.mount.d/50_security-misc.conf b/etc/systemd/system/boot.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..ab51a69b
--- /dev/null
+++ b/etc/systemd/system/boot.mount.d/50_security-misc.conf
@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid
diff --git a/etc/systemd/system/home.mount.d/50_security-misc.conf b/etc/systemd/system/home.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..c21897d3
--- /dev/null
+++ b/etc/systemd/system/home.mount.d/50_security-misc.conf
@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,nosuid
diff --git a/etc/systemd/system/tmp.mount.d/50_security-misc.conf b/etc/systemd/system/tmp.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..ab51a69b
--- /dev/null
+++ b/etc/systemd/system/tmp.mount.d/50_security-misc.conf
@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid
diff --git a/etc/systemd/system/usr-share.mount.d/50_security-misc.conf b/etc/systemd/system/usr-share.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..bb8ebcf0
--- /dev/null
+++ b/etc/systemd/system/usr-share.mount.d/50_security-misc.conf
@@ -0,0 +1,5 @@
+[Unit]
+Before=usr.mount
+
+[Mount]
+Options=nodev,nosuid
diff --git a/etc/systemd/system/usr.mount.d/50_security-misc.conf b/etc/systemd/system/usr.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..638cb8be
--- /dev/null
+++ b/etc/systemd/system/usr.mount.d/50_security-misc.conf
@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev
diff --git a/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf b/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..ab51a69b
--- /dev/null
+++ b/etc/systemd/system/var-log-audit.mount.d/50_security-misc.conf
@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid
diff --git a/etc/systemd/system/var-log.mount.d/50_security-misc.conf b/etc/systemd/system/var-log.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..6a1b3395
--- /dev/null
+++ b/etc/systemd/system/var-log.mount.d/50_security-misc.conf
@@ -0,0 +1,5 @@
+[Unit]
+Before=var.mount
+
+[Mount]
+Options=nodev,noexec,nosuid
diff --git a/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf b/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..ab51a69b
--- /dev/null
+++ b/etc/systemd/system/var-tmp.mount.d/50_security-misc.conf
@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,noexec,nosuid
diff --git a/etc/systemd/system/var.mount.d/50_security-misc.conf b/etc/systemd/system/var.mount.d/50_security-misc.conf
new file mode 100644
index 00000000..c21897d3
--- /dev/null
+++ b/etc/systemd/system/var.mount.d/50_security-misc.conf
@@ -0,0 +1,2 @@
+[Mount]
+Options=nodev,nosuid
diff --git a/lib/systemd/system/boot.mount b/lib/systemd/system/boot.mount
new file mode 100644
index 00000000..d5a26841
--- /dev/null
+++ b/lib/systemd/system/boot.mount
@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /boot with no dedicated partition
+
+[Mount]
+What=/boot
+Where=/boot
+Options=defaults,nodev,noexec,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target
diff --git a/lib/systemd/system/home.mount b/lib/systemd/system/home.mount
new file mode 100644
index 00000000..9892386a
--- /dev/null
+++ b/lib/systemd/system/home.mount
@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /home with no dedicated partition
+
+[Mount]
+What=/home
+Where=/home
+Options=defaults,nodev,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target
diff --git a/lib/systemd/system/remount-api.service b/lib/systemd/system/remount-api.service
new file mode 100644
index 00000000..d01a2651
--- /dev/null
+++ b/lib/systemd/system/remount-api.service
@@ -0,0 +1,26 @@
+# https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/
+# When not editing fstab, some filesystems have to be remounted in order to be hardened
+
+[Unit]
+Description=Remounts what can not be mounted with secure options in the first run without having to edit fstab
+
+Before=sysinit-post.target
+Before=basic.target
+Before=multi-user.target
+Before=graphical.target
+Before=getty-pre.target
+Before=network-pre.target
+
+After=local-fs.target
+After=sysinit.target
+After=qubes-sysinit.service
+
+Requires=local-fs.target
+Requires=sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=remount-api
+
+[Install]
+WantedBy=sysinit-post.target
diff --git a/lib/systemd/system/tmp.mount b/lib/systemd/system/tmp.mount
new file mode 100644
index 00000000..419dfab6
--- /dev/null
+++ b/lib/systemd/system/tmp.mount
@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /tmp with no dedicated partition
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Options=defaults,nodev,noexec,nosuid
+
+[Install]
+WantedBy=sysinit.target
diff --git a/lib/systemd/system/usr-share.mount b/lib/systemd/system/usr-share.mount
new file mode 100644
index 00000000..be86cddf
--- /dev/null
+++ b/lib/systemd/system/usr-share.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Bind Mount /usr/share with no dedicated partition
+Before=usr.mount
+
+[Mount]
+What=/usr/share
+Where=/usr/share
+Options=defaults,nodev,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target
diff --git a/lib/systemd/system/usr.mount b/lib/systemd/system/usr.mount
new file mode 100644
index 00000000..99840644
--- /dev/null
+++ b/lib/systemd/system/usr.mount
@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /usr with no dedicated partition
+
+[Mount]
+What=/usr
+Where=/usr
+Options=defaults,nodev,bind
+
+[Install]
+WantedBy=sysinit.target
diff --git a/lib/systemd/system/var-log.mount b/lib/systemd/system/var-log.mount
new file mode 100644
index 00000000..66079b03
--- /dev/null
+++ b/lib/systemd/system/var-log.mount
@@ -0,0 +1,11 @@
+[Unit]
+Description=Bind Mount /var/log with no dedicated partition
+Before=var.mount
+
+[Mount]
+What=/var/log
+Where=/var/log
+Options=defaults,nodev,noexec,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target
diff --git a/lib/systemd/system/var-tmp.mount b/lib/systemd/system/var-tmp.mount
new file mode 100644
index 00000000..04aec104
--- /dev/null
+++ b/lib/systemd/system/var-tmp.mount
@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /var/tmp with no dedicated partition
+
+[Mount]
+What=/var/tmp
+Where=/tmp
+Options=defaults,nodev,noexec,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target
diff --git a/lib/systemd/system/var.mount b/lib/systemd/system/var.mount
new file mode 100644
index 00000000..d9fae23d
--- /dev/null
+++ b/lib/systemd/system/var.mount
@@ -0,0 +1,10 @@
+[Unit]
+Description=Bind Mount /var with no dedicated partition
+
+[Mount]
+What=/var
+Where=/var
+Options=defaults,nodev,nosuid,bind
+
+[Install]
+WantedBy=sysinit.target
diff --git a/usr/bin/remount-api b/usr/bin/remount-api
new file mode 100644
index 00000000..9fc4a844
--- /dev/null
+++ b/usr/bin/remount-api
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+## This one seems to be superfluous because debian seems to mount run hardened anyway
+# mount -o defaults,nodev,noexec,nosuid,remount /run
+
+mount -o defaults,nodev,noexec,nosuid,remount /dev/shm
+mount -o defaults,noexec,nosuid,remount /dev