OK, so from this example, it does look like we could potentially enable a few of those by default for all services. I would expect the following to work:
LockPersonality=true
MemoryDenyWriteExecute=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=ptraceable
RestrictRealtime=true
SystemCallArchitectures=native
Unfortunately we don’t have a way to set such defaults nor do we have a way to exclude services from it so that would be a per-service change. Here we would have to exclude chronyd from ProtectClock for example.
I don’t think nginx is a good example however as it’s not installed by default (we should likely focus on hardening all installed by default services in all of our variants) and it’s likely doing all sorts of weird things depending on the configuration.