diff --git a/etc/systemd-vaultd.service b/etc/systemd-vaultd.service
new file mode 100644
index 0000000..7062ff3
--- /dev/null
+++ b/etc/systemd-vaultd.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=systemd-vault daemon
+Requires=systemd-vaultd.socket
+
+[Service]
+ExecStart=/usr/bin/systemd-vaultd
+Restart=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateUsers=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+MemoryDenyWriteExecute=yes
+SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
+
+[Install]
+Also=systemd-vaultd.socket
diff --git a/etc/systemd-vaultd.socket b/etc/systemd-vaultd.socket
new file mode 100644
index 0000000..290841d
--- /dev/null
+++ b/etc/systemd-vaultd.socket
@@ -0,0 +1,8 @@
+[Unit]
+Description=systemd-vault activation socket
+
+[Socket]
+ListenStream=/run/systemd-vaultd/sock
+
+[Install]
+WantedBy=sockets.target