diff --git a/systemd/karl.service b/systemd/karl.service
new file mode 100644
index 0000000..9767b65
--- /dev/null
+++ b/systemd/karl.service
@@ -0,0 +1,34 @@
+[Unit]
+Description=Karl
+After=network.target
+Wants=network.target
+StartLimitBurst=3
+StartLimitIntervalSec=60
+
+[Service]
+User=karl
+WorkingDirectory=/home/karl/app
+ExecStart=/home/karl/app/venv/bin/gunicorn \
+    -c /home/karl/app/gunicorn.conf.py \
+    app.main:app
+
+# Graceful reload (sends SIGHUP)
+ExecReload=/bin/kill -s HUP $MAINPID
+
+# Restart on failure
+Restart=on-failure
+RestartSec=5s
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ReadWritePaths=/var/log/karl /tmp
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=karl
+
+[Install]
+WantedBy=multi-user.target