diff --git a/files/usr/lib/systemd/system/rpm-ostreed.service b/files/usr/lib/systemd/system/rpm-ostreed.service
new file mode 100644
index 00000000..352b6d10
--- /dev/null
+++ b/files/usr/lib/systemd/system/rpm-ostreed.service
@@ -0,0 +1,32 @@
+[Unit]
+Description=rpm-ostree System Management Daemon
+Documentation=man:rpm-ostree(1)
+ConditionPathExists=/ostree
+RequiresMountsFor=/boot
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+# See similar code in rpm-ostree-countme.service
+User=rpm-ostree
+DynamicUser=yes
+# As of right now, our primary API is DBus.  But see also https://github.com/coreos/rpm-ostree/issues/3850
+Type=dbus
+BusName=org.projectatomic.rpmostree1
+# To use the read-only sysroot bits
+MountFlags=slave
+# We have no business accessing /var/roothome or /var/home.  In general
+# the ostree design clearly avoids touching those, but since systemd offers
+# us easy tools to toggle on protection, let's use them.  In the future
+# it'd be nice to do something like using DynamicUser=yes for the main service,
+# and have a system rpm-ostreed-transaction.service that runs privileged
+# but as a subprocess.
+ProtectHome=true
+NotifyAccess=main
+# Significantly bump this timeout from the default because
+# we do a lot of stuff on daemon startup.
+TimeoutStartSec=5m
+# We start this main process with full privileges; it may spawn unprivileged processes
+# with the rpm-ostree user.
+ExecStart=+rpm-ostree start-daemon
+ExecReload=rpm-ostree reload