diff --git a/contrib/systemd/tlstunnel.service b/contrib/systemd/tlstunnel.service
new file mode 100644
index 0000000..2b85c9b
--- /dev/null
+++ b/contrib/systemd/tlstunnel.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=tlstunnel reverse proxy
+Documentation=https://sr.ht/~emersion/tlstunnel
+After=network.target
+
+[Service]
+User=tlstunnel
+ExecStart=/usr/bin/tlstunnel
+ExecReload=kill -HUP $MAINPID
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+
+# Hardening options
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/tlstunnel
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+LockPersonality=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/systemd/tlstunnel.sysusers b/contrib/systemd/tlstunnel.sysusers
new file mode 100644
index 0000000..2b56a45
--- /dev/null
+++ b/contrib/systemd/tlstunnel.sysusers
@@ -0,0 +1 @@
+u tlstunnel - "tlstunnel user" /var/lib/tlstunnel
diff --git a/contrib/systemd/tlstunnel.tmpfiles b/contrib/systemd/tlstunnel.tmpfiles
new file mode 100644
index 0000000..59ae79a
--- /dev/null
+++ b/contrib/systemd/tlstunnel.tmpfiles
@@ -0,0 +1 @@
+d /var/lib/tlstunnel 0750 tlstunnel tlstunnel -