diff --git a/contrib/systemd/system-user-telemt.conf b/contrib/systemd/system-user-telemt.conf
new file mode 100644
index 0000000..918956c
--- /dev/null
+++ b/contrib/systemd/system-user-telemt.conf
@@ -0,0 +1,3 @@
+u telemt - "telemt user" /var/lib/telemt -
+g telemt - -
+m telemt telemt
diff --git a/contrib/systemd/telemt.service b/contrib/systemd/telemt.service
new file mode 100644
index 0000000..8e08efc
--- /dev/null
+++ b/contrib/systemd/telemt.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=Telemt
+Wants=network-online.target
+After=multi-user.target network.target network-online.target
+
+[Service]
+Type=simple
+User=telemt
+Group=telemt
+WorkingDirectory=/var/lib/telemt
+ExecStart=/bin/telemt /etc/telemt/telemt.toml
+Restart=on-failure
+RestartSec=10
+LimitNOFILE=65536
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+ProtectSystem=strict
+ProtectHome=read-only
+SystemCallFilter=~@mount
+ReadWritePaths=/var/lib/telemt
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/systemd/tmpfiles-telemt.conf b/contrib/systemd/tmpfiles-telemt.conf
new file mode 100644
index 0000000..7c6628b
--- /dev/null
+++ b/contrib/systemd/tmpfiles-telemt.conf
@@ -0,0 +1 @@
+d /var/lib/telemt 700 telemt telemt
diff --git a/telemt.service b/telemt.service
deleted file mode 100644
index f163057..0000000
--- a/telemt.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Telemt
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-WorkingDirectory=/etc/telemt
-ExecStart=/bin/telemt /etc/telemt.toml
-Restart=on-failure
-LimitNOFILE=262144
-TasksMax=8192
-MemoryAccounting=yes
-
-[Install]
-WantedBy=multi-user.target