diff --git a/README.md b/README.md
index 6503540..e5f18eb 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,11 @@ Installs as `stunnel.js` with the alias `jstunnel`
 npm install -g stunneld
 ```
 
+Then `dist/etc/systemd/system/stunneld.service` should be copied to `/etc/systemd/system/stunneld.service` and
+the ARGUMENTS, such as SECRET, MUST BE CHANGED.
+
+*TODO*: make `--config /path/to/config` the only argument (and have the secret auto-generated on first run?)
+
 ### Advanced Usage
 
 How to use `stunnel.js` with your own instance of `stunneld.js`:
diff --git a/dist/etc/systemd/system/stunneld.service b/dist/etc/systemd/system/stunneld.service
new file mode 100644
index 0000000..45bde07
--- /dev/null
+++ b/dist/etc/systemd/system/stunneld.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Daplie Tunnel Server
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+# Always restart, unless it's restarting fast enough for us to believe it's completely broken
+Restart=always
+StartLimitInterval=10
+StartLimitBurst=3
+
+User=www-data
+Group=www-data
+WorkingDirectory=/srv/stunneld
+# TODO needs --config option and these options should go in a config file
+ExecStart=/srv/stunneld/bin/stunneld.js --servernames tunnel.example.com --secret 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' --email tunnel@example.com --agree-tos
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target