diff --git a/.travis.yml b/.travis.yml
index 361d9e9..41e8aa4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,7 +22,9 @@ script:
 - fpm -s dir -t deb -n pixiecore -v $(date '+%Y%m%d%H%M%S') --license Apache2 --vendor
   "David Anderson <dave@natulte.net>" --maintainer "David Anderson <dave@natulte.net>"
   --description "All-in-one PXE booting" --url "https://github.com/google/netboot"
+  --directories /usr/share/doc/pixiecore
   ./pixiecore.amd64=/usr/bin/pixiecore
+  ./pixiecore/pixiecore.service=/usr/share/doc/pixiecore/pixiecore.service.example
 env:
   global:
     # Packagecloud API token
diff --git a/pixiecore/pixiecore.service b/pixiecore/pixiecore.service
new file mode 100644
index 0000000..20a56c9
--- /dev/null
+++ b/pixiecore/pixiecore.service
@@ -0,0 +1,32 @@
+# This is an example service file for Pixiecore, which starts it in
+# API mode with as many execution restrictions as possible: read-only
+# filesystems, chroot, capability limitations, syscall filters...
+#
+# You will probably need to adjust this to your particular needs, but
+# this should be a comprehensive starting point.
+
+[Unit]
+Description=PXE booting server
+Documentation=https://github.com/google/netboot/tree/master/pixiecore
+
+[Service]
+WorkingDirectory=/tmp
+ExecStart=/usr/bin/pixiecore api https://example.com/api
+Restart=always
+User=nobody
+Group=nobody
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+PrivateTmp=true
+PrivateDevices=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+NoNewPrivileges=true
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+[Install]
+WantedBy=multi-user.target