diff --git a/docs/setup/asb/systemd/bitcoind.service b/docs/setup/asb/systemd/bitcoind.service
new file mode 100644
index 00000000..65155b1a
--- /dev/null
+++ b/docs/setup/asb/systemd/bitcoind.service
@@ -0,0 +1,47 @@
+[Unit]
+Description=bitcoind
+
+# https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
+After=network-online.target
+Wants=network-online.target
+
+OnFailure=unit-status-email@%n.service
+
+[Service]
+Type=forking
+PIDFile=/var/external/asb/bitcoin/bin/bitcoind.pid
+
+# note that the conf is relative to the datadir
+ExecStart=/var/external/asb/bitcoin/bin/bitcoind -daemon -pid=/var/external/asb/bitcoin/bin/bitcoind.pid -conf=/var/external/asb/bitcoin/conf/bitcoin-testnet-default.conf -datadir=/var/external/asb/bitcoin
+
+Restart=on-failure
+TimeoutStopSec=600
+
+User=asb
+Group=asb
+
+# Hardening measures
+####################
+
+# Provide a private /tmp and /var/tmp.
+PrivateTmp=true
+
+# Mount /usr, /boot/ and /etc read-only for the process.
+ProtectSystem=full
+
+# Deny access to /home, /root and /run/user
+ProtectHome=true
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
+NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
+PrivateDevices=true
+
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target