Linux systemd Service Files Cheat Sheet

Linux systemd Service Files•Permalink

Author, edit, override, and harden systemd .service files with practical examples.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Authoring Basics

Create and install custom service units.

Create custom service file

Open a new service file under /etc/systemd/system.

↗#

bashANYsystemdservice-filecreate

bash

sudo nano /etc/systemd/system/myapp.service

Custom local units usually belong under /etc/systemd/system.

Basic service file example

Minimal custom service unit.

↗#

iniANYsystemdservice-fileexample

ini

[Unit]
Description=My App
After=network.target

[Service]
Type=simple
User=myapp
WorkingDirectory=/opt/myapp
ExecStart=/usr/bin/node /opt/myapp/server.js
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

A minimal but production-useful service unit.

Reload after creating unit

Refresh manager state after writing a new service.

↗#

bashANYsystemctldaemon-reloadservice-file

bash

sudo systemctl daemon-reload

Required after adding or editing unit files.

Enable and start custom unit

Activate the new custom service.

↗#

bashANYsystemctlcustom-serviceenable

bash

sudo systemctl enable --now myapp.service

Common final step after authoring a unit.

Drop-Ins and Overrides

Override vendor unit settings safely.

Create override drop-in

Edit a unit override file.

↗#

bashANYsystemctloverridedrop-in

bash

sudo systemctl edit nginx

Creates a drop-in under /etc/systemd/system/<unit>.d/override.conf.

Override environment example

Set environment values in a drop-in.

↗#

iniANYsystemdenvironmentdrop-in

ini

[Service]
Environment=NODE_ENV=production
Environment=PORT=8080

Drop-ins are the preferred way to add or change settings.

Replace ExecStart in override

Clear old ExecStart then set new one.

↗#

iniANYsystemdExecStartoverride

ini

[Service]
ExecStart=
ExecStart=/usr/local/bin/myapp --config /etc/myapp/config.yml

When overriding ExecStart, the original must often be cleared first.

Show effective unit with drop-ins

Print final unit and all overrides.

↗#

bashANYsystemctlcateffective-config

bash

systemctl cat myapp.service

Helps verify the effective configuration.

Environment, Users, Dependencies

Set service identity and startup relationships.

Load variables from EnvironmentFile

Use an external env file.

↗#

iniANYsystemdEnvironmentFileconfig

ini

[Service]
EnvironmentFile=/etc/myapp/myapp.env

Good for keeping secrets and config out of ExecStart.

Run service as non-root user

Specify service user and group.

↗#

iniANYsystemdusergroup

ini

[Service]
User=myapp
Group=myapp

Preferred for least privilege.

Set working directory

Run service from a specific directory.

↗#

iniANYsystemdWorkingDirectoryservice-file

ini

[Service]
WorkingDirectory=/opt/myapp

Useful for relative file access and app startup.

Start after another unit

Set ordering and dependency relationship.

↗#

iniANYsystemdAfterWants

ini

[Unit]
Wants=network-online.target
After=network-online.target

Common for network-dependent apps.

Require another unit

Fail if the required unit is absent or stopped.

↗#

iniANYsystemdRequiresdependencies

ini

[Unit]
Requires=postgresql.service
After=postgresql.service

Stronger relationship than Wants.

Restart Policy, Types, Hardening

Tune service behavior and isolation.

Restart on failure

Automatic restart policy.

↗#

iniANYsystemdRestartresilience

ini

[Service]
Restart=on-failure
RestartSec=5

Common production resilience setting.

One-shot service type

Configure a one-time task service.

↗#

iniANYsystemdoneshottimers

ini

[Service]
Type=oneshot
ExecStart=/usr/local/bin/cleanup.sh
RemainAfterExit=yes

Often paired with timers.

Use Type=notify

Service signals readiness to systemd.

↗#

iniANYsystemdnotifyreadiness

ini

[Service]
Type=notify
NotifyAccess=main

Used by daemons with sd_notify support.

Basic sandboxing example

Apply a few common hardening options.

↗#

iniANYsystemdhardeningsandbox

ini

[Service]
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/myapp

A starting point for service hardening.

Limit Linux capabilities

Reduce privilege scope.

↗#

iniANYsystemdcapabilitiessecurity

ini

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

Useful when binding privileged ports without full root access.

Evaluate unit hardening

Score a custom service for security posture.

↗#

bashANYsystemd-analyzesecuritycustom-service

bash

systemd-analyze security myapp.service

Good final review after adding sandbox settings.

More in Linux systemd Service Files

No other published sheets yet.

Recommended next

No recommendations yet.

Browse all sheets →