Linux systemd Service Files Cheat Sheet

Linux systemd Service Files•Permalink

Author, edit, override, and harden systemd .service files with practical examples.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Authoring Basics

Create and install custom service units.

Create custom service file

Open a new service file under /etc/systemd/system.

bashANYsystemdservice-filecreate

↗#

bash

sudo nano /etc/systemd/system/myapp.service

Notes

Custom local units usually belong under /etc/systemd/system.

Basic service file example

Minimal custom service unit.

iniANYsystemdservice-fileexample

↗#

ini

[Unit]
Description=My App
After=network.target

[Service]
Type=simple
User=myapp
WorkingDirectory=/opt/myapp
ExecStart=/usr/bin/node /opt/myapp/server.js
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Notes

A minimal but production-useful service unit.

Reload after creating unit

Refresh manager state after writing a new service.

bashANYsystemctldaemon-reloadservice-file

↗#

bash

sudo systemctl daemon-reload

Notes

Required after adding or editing unit files.

Enable and start custom unit

Activate the new custom service.

bashANYsystemctlcustom-serviceenable

↗#

bash

sudo systemctl enable --now myapp.service

Notes

Common final step after authoring a unit.

Drop-Ins and Overrides

Override vendor unit settings safely.

Create override drop-in

Edit a unit override file.

bashANYsystemctloverridedrop-in

↗#

bash

sudo systemctl edit nginx

Notes

Creates a drop-in under /etc/systemd/system/<unit>.d/override.conf.

Override environment example

Set environment values in a drop-in.

iniANYsystemdenvironmentdrop-in

↗#

ini

[Service]
Environment=NODE_ENV=production
Environment=PORT=8080

Notes

Drop-ins are the preferred way to add or change settings.

Replace ExecStart in override

Clear old ExecStart then set new one.

iniANYsystemdExecStartoverride

↗#

ini

[Service]
ExecStart=
ExecStart=/usr/local/bin/myapp --config /etc/myapp/config.yml

Notes

When overriding ExecStart, the original must often be cleared first.

Show effective unit with drop-ins

Print final unit and all overrides.

bashANYsystemctlcateffective-config

↗#

bash

systemctl cat myapp.service

Notes

Helps verify the effective configuration.

Environment, Users, Dependencies

Set service identity and startup relationships.

Load variables from EnvironmentFile

Use an external env file.

iniANYsystemdEnvironmentFileconfig

↗#

ini

[Service]
EnvironmentFile=/etc/myapp/myapp.env

Notes

Good for keeping secrets and config out of ExecStart.

Run service as non-root user

Specify service user and group.

iniANYsystemdusergroup

↗#

ini

[Service]
User=myapp
Group=myapp

Notes

Preferred for least privilege.

Set working directory

Run service from a specific directory.

iniANYsystemdWorkingDirectoryservice-file

↗#

ini

[Service]
WorkingDirectory=/opt/myapp

Notes

Useful for relative file access and app startup.

Start after another unit

Set ordering and dependency relationship.

iniANYsystemdAfterWants

↗#

ini

[Unit]
Wants=network-online.target
After=network-online.target

Notes

Common for network-dependent apps.

Require another unit

Fail if the required unit is absent or stopped.

iniANYsystemdRequiresdependencies

↗#

ini

[Unit]
Requires=postgresql.service
After=postgresql.service

Notes

Stronger relationship than Wants.

Restart Policy, Types, Hardening

Tune service behavior and isolation.

Restart on failure

Automatic restart policy.

iniANYsystemdRestartresilience

↗#

ini

[Service]
Restart=on-failure
RestartSec=5

Notes

Common production resilience setting.

One-shot service type

Configure a one-time task service.

iniANYsystemdoneshottimers

↗#

ini

[Service]
Type=oneshot
ExecStart=/usr/local/bin/cleanup.sh
RemainAfterExit=yes

Notes

Often paired with timers.

Use Type=notify

Service signals readiness to systemd.

iniANYsystemdnotifyreadiness

↗#

ini

[Service]
Type=notify
NotifyAccess=main

Notes

Used by daemons with sd_notify support.

Basic sandboxing example

Apply a few common hardening options.

iniANYsystemdhardeningsandbox

↗#

ini

[Service]
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/myapp

Notes

A starting point for service hardening.

Limit Linux capabilities

Reduce privilege scope.

iniANYsystemdcapabilitiessecurity

↗#

ini

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

Notes

Useful when binding privileged ports without full root access.

Evaluate unit hardening

Score a custom service for security posture.

bashANYsystemd-analyzesecuritycustom-service

↗#

bash

systemd-analyze security myapp.service

Notes

Good final review after adding sandbox settings.

More in Linux systemd Service Files

No other published sheets yet.

Recommended next

No recommendations yet.

Browse all sheets →