diff --git a/files/crab.service b/files/crab.service
new file mode 100644
index 0000000..e5ff77f
--- /dev/null
+++ b/files/crab.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Crab Router
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=nobody
+ExecStart=/usr/bin/crab router
+Environment="CRAB_ROUTER_HOST=0.0.0.0"
+
+# Allow port 80 bind
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=yes
+
+# More protections, because why not
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+
+[Install]
+RequiredBy=multi-user.target
diff --git a/tasks/dabapps.yml b/tasks/dabapps.yml
index 53c13a3..f826a74 100644
--- a/tasks/dabapps.yml
+++ b/tasks/dabapps.yml
@@ -43,3 +43,11 @@
     option: ignore
     value: "{{ home }}/.config/.gitignore"
     mode: 0644
+
+- name: Install Crab service
+  template:
+    src: ./files/crab.service
+    dest: /etc/systemd/system/crab.service
+    mode: 0644
+    owner: root
+    group: root