diff --git a/bin/deploy/systemd/conservancy-www-update.service b/bin/deploy/systemd/conservancy-www-update.service
new file mode 100644
index 0000000000000000000000000000000000000000..3374e35381f399e12cd9ec02852dc7605ece80ab
--- /dev/null
+++ b/bin/deploy/systemd/conservancy-www-update.service
@@ -0,0 +1,25 @@
+# Run the website update script (see also: conservancy-www-update.timer).
+
+[Unit]
+Description=Update Conservancy website checkout
+
+[Service]
+Type=oneshot
+User=www-data
+WorkingDirectory=/var/www/website
+ExecStart=/var/www/website/deploy/systemd/conservancy-www-update.sh
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+CapabilityBoundingSet=
+NoNewPrivileges=true
+
+PrivateDevices=true
+PrivateNetwork=false
+PrivateTmp=true
+PrivateUsers=false
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/www/website