diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py
index 327db22..fa474b7 100644
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@@ -20,3 +20,55 @@ defaults = {
         },
     },
 }
+
+
+@metadata_reactor.provides(
+    'systemd/units',
+)
+def systemd_units(metadata):
+    workers = metadata.get('left4me/gunicorn_workers')
+    threads = metadata.get('left4me/gunicorn_threads')
+
+    web_service = {
+        'Unit': {
+            'Description': 'left4me web application',
+            'After': 'network-online.target',
+            'Wants': 'network-online.target',
+        },
+        'Service': {
+            'Type': 'simple',
+            'User': 'left4me',
+            'Group': 'left4me',
+            'WorkingDirectory': '/opt/left4me/src',
+            'Environment': {
+                'HOME=/var/lib/left4me',
+                'PATH=/opt/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+            },
+            'EnvironmentFile': {
+                '/etc/left4me/host.env',
+                '/etc/left4me/web.env',
+            },
+            'ExecStart': (
+                '/opt/left4me/.venv/bin/gunicorn '
+                f'--workers {workers} --threads {threads} '
+                "--bind 127.0.0.1:8000 'l4d2web.app:create_app()'"
+            ),
+            'Restart': 'on-failure',
+            'RestartSec': '3',
+            # NoNewPrivileges intentionally NOT set: workers sudo to the helpers.
+            'ProtectSystem': 'full',
+            'ReadWritePaths': '/var/lib/left4me',
+            'PrivateTmp': 'true',
+        },
+        'Install': {
+            'WantedBy': {'multi-user.target'},
+        },
+    }
+
+    return {
+        'systemd': {
+            'units': {
+                'left4me-web.service': web_service,
+            },
+        },
+    }