diff --git a/instruct_kerberos.md b/instruct_kerberos.md
index ae7da77..c8413d4 100644
--- a/instruct_kerberos.md
+++ b/instruct_kerberos.md
@@ -223,4 +223,89 @@ else
         "$APP_USER" \
         || { log_error "Failed to create user: $APP_USER"; return 1; }
 fi
+```
+
+```bash
+#!/usr/bin/env bash
+# =============================================================================
+# 06-app-service.sh — Create and enable the systemd service unit
+# =============================================================================
+
+require_vars APP_SERVICE_NAME APP_ROOT APP_DIR APP_ENV_DIR APP_HOST APP_PORT \
+             APP_USER APP_GROUP APP_MODULE || return 1
+
+# APP_ENV_DIR defaults to APP_ROOT if not explicitly set in config
+APP_ENV_DIR="${APP_ENV_DIR:-$APP_ROOT}"
+
+UNIT_FILE="/etc/systemd/system/${APP_SERVICE_NAME}.service"
+
+# ---- Build the After= line ----
+AFTER_TARGETS="network.target"
+if [[ -n "${CIFS_MOUNTS:-}" ]]; then
+    AFTER_TARGETS="network.target remote-fs.target"
+fi
+
+# ---- Capability for privileged ports ----
+CAP_LINE=""
+if (( APP_PORT < 1024 )); then
+    CAP_LINE="AmbientCapabilities=CAP_NET_BIND_SERVICE"
+    log_info "Port ${APP_PORT} < 1024 — adding CAP_NET_BIND_SERVICE"
+fi
+
+# ---- Verify uvicorn is installed ----
+if ! "${APP_ROOT}/.venv/bin/python" -c "import uvicorn" &>/dev/null; then
+    log_error "uvicorn not importable in ${APP_ROOT}/.venv — was step 3 (App Install) successful?"
+    return 1
+fi
+
+# ---- Build ExecStart command ----
+# Use the venv python to run uvicorn as a module, avoiding shebang path issues.
+EXEC_START="${APP_ROOT}/.venv/bin/python -m uvicorn ${APP_MODULE} --host ${APP_HOST} --port ${APP_PORT}"
+
+if [[ "${APP_SSL_ENABLED:-true}" == "true" ]]; then
+    EXEC_START="${EXEC_START} --ssl-keyfile \${SSL_KEYFILE} --ssl-certfile \${SSL_CERTFILE}"
+fi
+
+# ---- Write the unit file ----
+log_info "Writing systemd unit file: $UNIT_FILE"
+cat > "$UNIT_FILE" <<UNITEOF
+[Unit]
+Description=${APP_SERVICE_NAME} FastAPI Application
+After=${AFTER_TARGETS}
+
+[Service]
+Type=simple
+User=${APP_USER}
+Group=${APP_GROUP}
+WorkingDirectory=${APP_DIR}
+EnvironmentFile=${APP_ENV_DIR}/.env
+ExecStart=${EXEC_START}
+Restart=on-failure
+RestartSec=5
+${CAP_LINE}
+
+[Install]
+WantedBy=multi-user.target
+UNITEOF
+
+# ---- Enable and restart ----
+log_info "Reloading systemd and enabling ${APP_SERVICE_NAME}"
+systemctl daemon-reload \
+    || { log_error "systemctl daemon-reload failed"; return 1; }
+
+systemctl enable "$APP_SERVICE_NAME" \
+    || { log_error "Failed to enable ${APP_SERVICE_NAME}"; return 1; }
+
+# ---- Gate restart on test results ----
+if [[ "${DEPLOY_TESTS_PASSED}" != "true" ]]; then
+    log_warn "Tests failed — skipping service restart to preserve the current running version"
+    log_warn "Fix the failing tests and re-run the deployment to restart the service"
+    return 1
+fi
+
+log_info "Restarting ${APP_SERVICE_NAME}"
+systemctl restart "$APP_SERVICE_NAME" \
+    || { log_error "Failed to restart ${APP_SERVICE_NAME}"; return 1; }
+
+systemctl --no-pager status "$APP_SERVICE_NAME"
 ```
\ No newline at end of file