diff --git a/extra/systemd/rustypaste.env b/extra/systemd/rustypaste.env
new file mode 100644
index 0000000..816e3b5
--- /dev/null
+++ b/extra/systemd/rustypaste.env
@@ -0,0 +1,2 @@
+# To enable basic HTTP auth, set the AUTH_TOKEN
+AUTH_TOKEN=""
diff --git a/extra/systemd/rustypaste.service b/extra/systemd/rustypaste.service
new file mode 100644
index 0000000..dee5f66
--- /dev/null
+++ b/extra/systemd/rustypaste.service
@@ -0,0 +1,31 @@
+[Unit]
+Description=Rustypaste server
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+User=rustypaste
+Group=rustypaste
+ExecStart=/usr/bin/rustypaste
+ReadWritePaths=/var/lib/rustypaste
+ReadOnlyPaths=/etc/rustypaste
+
+WorkingDirectory=/var/lib/rustypaste
+Environment="CONFIG=/etc/rustypaste/config.toml"
+EnvironmentFile=/etc/rustypaste/rustypaste.env
+
+# Hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+LockPersonality=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/extra/systemd/rustypaste.sysusers b/extra/systemd/rustypaste.sysusers
new file mode 100644
index 0000000..6ff7ad2
--- /dev/null
+++ b/extra/systemd/rustypaste.sysusers
@@ -0,0 +1 @@
+u rustypaste - "Minimal file upload/pastebin service" /var/lib/rustypaste
diff --git a/extra/systemd/rustypaste.tmpfiles b/extra/systemd/rustypaste.tmpfiles
new file mode 100644
index 0000000..a449e18
--- /dev/null
+++ b/extra/systemd/rustypaste.tmpfiles
@@ -0,0 +1 @@
+d /var/lib/rustypaste 0750 rustypaste rustypaste