diff --git a/contrib/systemd/README.md b/contrib/systemd/README.md
new file mode 100644
index 0000000..707b4d7
--- /dev/null
+++ b/contrib/systemd/README.md
@@ -0,0 +1,60 @@
+# systemd unit files
+
+Two flavours: a per-user service (no root needed) and a system service.
+
+## Per-user (recommended for personal use)
+
+Runs under your login, socket lives in `$XDG_RUNTIME_DIR/cubby.sock`.
+
+```bash
+go build -o ~/.local/bin/cubby ./cmd/cubby
+
+mkdir -p ~/.config/systemd/user
+cp contrib/systemd/cubby.user.service ~/.config/systemd/user/cubby.service
+
+systemctl --user daemon-reload
+systemctl --user enable --now cubby.service
+systemctl --user status cubby.service
+```
+
+To survive logout/reboot without an active session:
+
+```bash
+sudo loginctl enable-linger "$USER"
+```
+
+The socket path is `/run/user/$(id -u)/cubby.sock`.
+
+## System-wide (shared across users via a group)
+
+Runs as a dedicated `cubby` user, socket at `/run/cubby/cubby.sock`,
+readable/writable by members of the `cubby` group.
+
+```bash
+sudo useradd --system --no-create-home --shell /usr/sbin/nologin cubby
+sudo go build -o /usr/local/bin/cubby ./cmd/cubby
+# or: go build -o ./cubby ./cmd/cubby && sudo install -m 0755 ./cubby /usr/local/bin/cubby
+
+sudo cp contrib/systemd/cubby.service /etc/systemd/system/cubby.service
+sudo systemctl daemon-reload
+sudo systemctl enable --now cubby.service
+sudo systemctl status cubby.service
+
+# Add yourself (and others) to the cubby group to connect:
+sudo usermod -aG cubby "$USER"
+# log out and back in for new group membership to take effect
+```
+
+## Common operations
+
+```bash
+# user service
+systemctl --user restart cubby
+systemctl --user stop cubby
+journalctl --user -u cubby -f
+
+# system service
+sudo systemctl restart cubby
+sudo systemctl stop cubby
+sudo journalctl -u cubby -f
+```
diff --git a/contrib/systemd/cubby.service b/contrib/systemd/cubby.service
new file mode 100644
index 0000000..b1c54ff
--- /dev/null
+++ b/contrib/systemd/cubby.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Cubby in-memory key-value cache (system-wide)
+Documentation=https://git.juancwu.dev/juancwu/cubby
+After=network.target
+
+[Service]
+Type=simple
+# Run as a dedicated user. Create with:
+#   sudo useradd --system --no-create-home --shell /usr/sbin/nologin cubby
+User=cubby
+Group=cubby
+
+# Path to the cubby binary. Build with:
+#   go build -o /usr/local/bin/cubby ./cmd/cubby
+ExecStart=/usr/local/bin/cubby -socket /run/cubby/cubby.sock -group cubby
+
+# /run/cubby/ is created automatically and owned by User/Group above.
+RuntimeDirectory=cubby
+RuntimeDirectoryMode=0755
+
+Restart=on-failure
+RestartSec=2s
+
+# Hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/systemd/cubby.user.service b/contrib/systemd/cubby.user.service
new file mode 100644
index 0000000..7d09a3a
--- /dev/null
+++ b/contrib/systemd/cubby.user.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Cubby in-memory key-value cache (per-user)
+Documentation=https://git.juancwu.dev/juancwu/cubby
+After=default.target
+
+[Service]
+Type=simple
+# Path to the cubby binary. Build with:
+#   go build -o ~/.local/bin/cubby ./cmd/cubby
+ExecStart=%h/.local/bin/cubby -socket %t/cubby.sock
+# %t expands to $XDG_RUNTIME_DIR (e.g. /run/user/1000), which is private to
+# the user, so the default 0600 socket permissions are fine.
+
+Restart=on-failure
+RestartSec=2s
+
+[Install]
+WantedBy=default.target