Zero Signup ToolsFree browser tools

Developer Tools

systemd Service Generator

Build production-ready systemd .service unit files in your browser. Presets for Node, Python, Go, Java, Docker Compose, plus hardening and a timer companion.

Preset

Pick what this service runs

Each preset switches the directives and defaults to match a common systemd deployment pattern.

Long-running Node service (Express, Fastify, Next.js standalone, NestJS, Hono). Type=simple, restart on failure, journal logging.

[Unit]

Identity and dependencies

File will be saved as myapp.service

Shown by systemctl status and journalctl.

Space-separated units that must start first.

Weak dependency. Wants will not fail this unit if it cannot start.

Hard dependency. If a Required unit fails, this unit fails too.

Optional. Unit silently skips if the path does not exist.

Max start attempts in the interval below before systemd refuses to restart.

Window in seconds for the burst counter.

[Service]

What and how to run

Default. The main process is the one launched by ExecStart. systemd considers it started immediately.

System user the service runs as. Avoid root unless the service genuinely needs it.

Defaults to the primary group of User if omitted.

Absolute path. The cwd for the ExecStart command.

Absolute path to the binary plus arguments. Shell features (pipes, globs, &&) are not expanded; wrap them in a script if you need them.

Optional. Runs before ExecStart. Prefix with - to ignore failures.

Optional. If empty, systemd sends KillSignal when stopping.

Optional. Used by systemctl reload to refresh config without a full restart.

Optional. One KEY=VALUE per line. Useful for secrets that should not appear in the unit file.

Restart on non-zero exit, signal, timeout, or watchdog. Sensible default for daemons.

Seconds to wait before restarting after exit.

Seconds before systemd gives up waiting for the unit to finish starting.

Seconds before systemd escalates to SIGKILL when stopping.

Signal sent to stop the service. Default SIGTERM.

Sandbox and hardening

Lock the service down

These directives narrow the kernel surface area the service can see. Defaults match a typical web service; turn them off for container runtimes, audio, GPU, or KVM workloads.

strict makes the entire FS read-only. Add ReadWritePaths below.

Space-separated absolute paths the service may still write to.

Space-separated. Use ~ before a cap to drop it (CAP_SYS_ADMIN minus default).

Useful for binding ports below 1024 without running as root.

Resource limits

Memory, CPU, tasks, file descriptors

Off by default. Turn on to add MemoryMax, CPUQuota, TasksMax, and LimitNOFILE.

[Install]

How systemctl enable wires the unit

Almost always multi-user.target. systemctl enable creates a symlink in the target's .wants directory.

Companion timer

Schedule the service like cron

Off by default. Enable to also generate a matching .timer file that runs this service on a schedule.

Output

myapp.service

Save to /etc/systemd/system/myapp.service, then run sudo systemctl daemon-reload and enable it.

[Unit]
Description=Node.js application service
After=network-online.target
Wants=network-online.target
StartLimitBurst=5
StartLimitIntervalSec=60

[Service]
Type=simple
User=myapp
Group=myapp
WorkingDirectory=/opt/myapp
Environment="NODE_ENV=production"
Environment="PORT=3000"
ExecStart=/usr/bin/node /opt/myapp/server.js
Restart=on-failure
RestartSec=5
TimeoutStartSec=30
TimeoutStopSec=30
KillSignal=SIGTERM
KillMode=control-group
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myapp

# Hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=true
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
LockPersonality=yes
RestrictRealtime=yes
ReadWritePaths=/var/lib/myapp /var/log/myapp

[Install]
WantedBy=multi-user.target

Review

Looks good

Hardening on, network-online.target wired, restart policy set. Ready to install.

Install and run

Quick commands

# Save the unit file under /etc/systemd/system/
sudo nano /etc/systemd/system/myapp.service
# Reload so systemd reads the new unit
sudo systemctl daemon-reload
# Enable on boot and start now
sudo systemctl enable --now myapp.service
# Watch logs as the service runs
journalctl -u myapp.service -f
# Status, restart, stop
sudo systemctl status myapp.service
sudo systemctl restart myapp.service
sudo systemctl stop myapp.service

Why these defaults

A short tour of the choices baked in

  • Network-aware ordering

    Services bound to a socket usually want After and Wants on network-online.target. The preset picks this for you so the process is not started before DHCP completes.

  • Sane restart policy

    Restart=on-failure is the default. systemd will not retry on a clean shutdown, but will keep the service alive across crashes, with a 5-second backoff between attempts.

  • journal logging by default

    StandardOutput and StandardError go to the journal. Pull logs at any time with journalctl -u and pipe directly into log shippers that read from the journal.

  • Hardening that is safe to ship

    ProtectSystem=strict, ProtectHome=true, PrivateTmp, PrivateDevices, ProtectKernelTunables, and ProtectKernelModules all on. RestrictNamespaces is left off because it blocks container runtimes.

  • Absolute paths everywhere

    systemd does not search $PATH. The validator enforces absolute paths for ExecStart, ExecStartPre, ExecStop, WorkingDirectory, and EnvironmentFile so the unit will not silently fail to start.

  • Timers replace cron cleanly

    Enabling the timer companion produces a matching .timer file with Persistent so missed runs catch up after a reboot, AccuracySec to let systemd batch wake-ups, and an optional RandomizedDelaySec for fleets that should not stampede the network.

How to use

  1. Pick the preset that matches what the service runs (Node, Python, Go, Java, Docker Compose, shell script, or one-shot job).
  2. Edit the unit name, description, dependencies, and the [Service] block. ExecStart must be an absolute path.
  3. Add Environment variables and an EnvironmentFile if the service needs configuration or secrets.
  4. Toggle the sandbox directives you want and list any directories the service must still write to under ReadWritePaths.
  5. Turn on the companion timer to schedule the service on a calendar (OnCalendar) or interval (OnBootSec / OnUnitActiveSec), then copy the .service and .timer files into /etc/systemd/system/.

About this tool

systemd Service Generator builds a complete .service unit file for a long-running Linux service from a small set of choices: a workload preset (Node.js, Python, Go binary, Java, Docker Compose stack, shell script, or one-shot job), unit identity (name, description, dependencies), the [Service] block (Type, User, Group, WorkingDirectory, ExecStart, ExecStartPre, ExecStop, ExecReload, Environment, EnvironmentFile, Restart policy, RestartSec, timeouts, KillSignal, KillMode, PIDFile, StandardOutput, StandardError, SyslogIdentifier, RemainAfterExit), an [Install] target (usually multi-user.target), a sandbox panel that covers the directives security teams actually ask for (NoNewPrivileges, ProtectSystem, ProtectHome, PrivateTmp, PrivateDevices, ProtectKernelTunables, ProtectKernelModules, ProtectControlGroups, RestrictNamespaces, LockPersonality, MemoryDenyWriteExecute, RestrictRealtime, ReadWritePaths, CapabilityBoundingSet, AmbientCapabilities), cgroup resource limits (MemoryMax, CPUQuota, TasksMax, LimitNOFILE), and an optional companion .timer file (OnCalendar, OnBootSec, OnUnitActiveSec, AccuracySec, RandomizedDelaySec, Persistent) so a one-shot job can be scheduled like cron. A live validator catches the mistakes that actually break units in production: relative ExecStart paths (systemd does not search $PATH), Type=forking without PIDFile, RestrictNamespaces on Docker, PrivateDevices on audio or GPU services, ProtectSystem=strict without ReadWritePaths, missing network-online.target for network-bound binaries, and unusual WantedBy targets. The output is two real files (a .service and, optionally, a .timer) that paste straight into /etc/systemd/system/ followed by systemctl daemon-reload and systemctl enable --now. Everything runs in your browser, so the binary paths, credentials in EnvironmentFile, and service topology you type never leave your device.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

Dockerfile Generator

Build a production Dockerfile with multi-stage build, non-root user, BuildKit cache, and healthcheck.

Open tool

Developer

Docker Compose Generator

Build a multi-service docker-compose.yml with templates and live validation.

Open tool

Developer

Nginx Config Generator

Build a production nginx server block with modern TLS, HTTP/2, HSTS, gzip, and proxy headers.

Open tool

Developer

Apache .htaccess Generator

Generate a complete Apache .htaccess with redirects, security headers, caching, and access controls.

Open tool

Developer

Cron Expression Generator

Build and explain cron expressions with plain English and a next-run preview.

Open tool

Developer

Crontab Explainer

Translate any crontab to plain English with a field breakdown and next-run preview.

Open tool

All toolsDeveloper Tools