diff --git a/data/usr/lib/systemd/system/freedombox-privileged.service b/data/usr/lib/systemd/system/freedombox-privileged.service
new file mode 100644
index 000000000..6112b5d43
--- /dev/null
+++ b/data/usr/lib/systemd/system/freedombox-privileged.service
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=FreedomBox Privileged Service
+Documentation=https://wiki.debian.org/FreedomBox/
+# Don't hit the start rate limiting.
+StartLimitIntervalSec=0
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/freedombox-privileged
+TimeoutSec=300s
+User=root
+Group=root
+NotifyAccess=main
+PrivateTmp=yes
+Restart=on-failure
+# Don't restart too fast
+RestartSec=1
+RestartSteps=3
+RestartMaxDelaySec=5
diff --git a/data/usr/lib/systemd/system/freedombox-privileged.socket b/data/usr/lib/systemd/system/freedombox-privileged.socket
new file mode 100644
index 000000000..acb7b8a61
--- /dev/null
+++ b/data/usr/lib/systemd/system/freedombox-privileged.socket
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[Unit]
+Description=FreedomBox Privileged Service Socket
+Documentation=https://wiki.debian.org/FreedomBox/
+
+[Socket]
+Accept=no
+ListenStream=/run/freedombox/privileged.socket
+SocketUser=root
+SocketGroup=root
+SocketMode=0666
+DirectoryMode=755
+
+[Install]
+WantedBy=sockets.target
diff --git a/debian/rules b/debian/rules
index 1c5d3057c..50a2cc0c1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -34,4 +34,5 @@ override_dh_installsystemd:
 	# (as of debhelper 13.5.2) that still has hardcoded search path of
 	# /lib/systemd/system for searching systemd services. See #987989 and
 	# reversion of its changes.
-	dh_installsystemd --tmpdir=debian/tmp/usr --package=freedombox plinth.service
+	dh_installsystemd --tmpdir=debian/tmp/usr --package=freedombox \
+		plinth.service freedombox-privileged.socket