diff --git a/.gear/rules b/.gear/rules
index 951ddff..2c37a3f 100644
--- a/.gear/rules
+++ b/.gear/rules
@@ -1,2 +1,4 @@
 tar: @name@ name=@name@-@version@
 tar: .gear/predownloaded-development name=@name@-development-@version@ base=
+copy: @name@.service
+copy: @name@.env.example
diff --git a/lk-jwt-service.env.example b/lk-jwt-service.env.example
new file mode 100644
index 0000000..a5c3438
--- /dev/null
+++ b/lk-jwt-service.env.example
@@ -0,0 +1,11 @@
+# Mandatory
+LIVEKIT_KEY=YOUR_LIVEKIT_KEY
+LIVEKIT_SECRET=YOUR_LIVEKIT_SECRET
+LIVEKIT_URL=wss://example.com
+# Optional
+LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
+# Bind only to localhost when behind reverse proxy (recommended)
+LIVEKIT_JWT_BIND=127.0.0.1:8080
+
+# Never use in production:
+# LIVEKIT_INSECURE_SKIP_VERIFY_TLS=YES_I_KNOW_WHAT_I_AM_DOING
diff --git a/lk-jwt-service.service b/lk-jwt-service.service
new file mode 100644
index 0000000..32b05bb
--- /dev/null
+++ b/lk-jwt-service.service
@@ -0,0 +1,56 @@
+[Unit]
+Description=MatrixRTC Authorization Service (lk-jwt-service)
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/lk-jwt-service
+
+EnvironmentFile=-/etc/lk-jwt-service/lk-jwt-service.env
+
+# Secrets via systemd credentials (preferred)
+#LoadCredential=livekit_key:/etc/lk-jwt-service/livekit_key
+#LoadCredential=livekit_secret:/etc/lk-jwt-service/livekit_secret
+#Environment=LIVEKIT_KEY_FROM_FILE=%d/livekit_key
+#Environment=LIVEKIT_SECRET_FROM_FILE=%d/livekit_secret
+
+# --- Hardening ---
+DynamicUser=yes
+NoNewPrivileges=yes
+
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectClock=yes
+ProtectHostname=yes
+
+ProtectProc=invisible
+ProcSubset=pid
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+KeyringMode=private
+RemoveIPC=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# Reliability
+Restart=on-failure
+RestartSec=2s
+TimeoutStartSec=30s
+TimeoutStopSec=30s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/lk-jwt-service.spec b/lk-jwt-service.spec
index 895ae44..2547aa3 100644
--- a/lk-jwt-service.spec
+++ b/lk-jwt-service.spec
@@ -10,6 +10,8 @@ VCS:            https://github.com/element-hq/lk-jwt-service
 
 Source:         %name-%version.tar
 Source1:        %name-development-%version.tar
+Source2:        %name.service
+Source3:        %name.env
 
 BuildRequires:  golang >= 1.23
 Requires:       ca-certificates
@@ -36,6 +38,8 @@ go test -mod=vendor ./...
 
 %install
 install -Dpm0755 %{name} %{buildroot}%{_bindir}/%{name}
+install %SOURCE2 %{buildroot}%{_etcdir}/systemd/system/%name.service
+install %SOURCE3 %{buildroot}%{_etcdir}/%{name}/lk-jwt-service.env
 
 %files
 %doc README.md LICENSE LICENSE-COMMERCIAL