programname.service

[Unit]
Description=ServiceName
Documentation=https://example.com/doc.txt
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-failure
PermissionsStartOnly=true
User=programusername
Group=programusername
ExecStartPre=/sbin/setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/programname
ExecStart=/usr/local/bin/programname -flag 443

[Install]
WantedBy=multi-user.target

steps.sh

#!/bin/bash
scp programname.service you@example.com:/etc/systemd/system/
scp $GOPATH/bin/programname you@example.com:/usr/local/bin/
ssh you@example.com
sudo su - # pwd: /root

# make sure this matches the programusername in service
# and DOES NOT start with a digit.
groupadd programusername
useradd -g programusername programusername
chmod g-w /home/programusername/
chmod 644 /etc/systemd/system/programname.service
chmod 700 /usr/local/bin/programname

# If you need to run on port 443
setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/programname
systemctl daemon-reload
systemctl start programname.service
systemctl enable programname.service