diff --git a/.github/workflows/publish-linux-packages.yml b/.github/workflows/publish-linux-packages.yml
index f1392040b..3185a6456 100644
--- a/.github/workflows/publish-linux-packages.yml
+++ b/.github/workflows/publish-linux-packages.yml
@@ -16,6 +16,7 @@ jobs:
       matrix:
         package_name:
           - openziti
+          - openziti-controller
         arch:
           - goreleaser: amd64
             gox: amd64
diff --git a/dist/dist-packages/linux/nfpm-openziti-controller.yaml b/dist/dist-packages/linux/nfpm-openziti-controller.yaml
new file mode 100644
index 000000000..eb0671c84
--- /dev/null
+++ b/dist/dist-packages/linux/nfpm-openziti-controller.yaml
@@ -0,0 +1,47 @@
+# nfpm configuration file
+#
+# check https://nfpm.goreleaser.com/configuration for detailed usage
+#
+name: openziti-controller
+arch: ${GOARCH}
+platform: linux
+version: ${ZITI_VERSION}
+maintainer: ${ZITI_MAINTAINER}
+description: >
+  Provides a system service for running an OpenZiti Controller
+vendor: ${ZITI_VENDOR}
+homepage: ${ZITI_HOMEPAGE}
+license: Apache-2.0
+
+# Umask to be used on files without explicit mode set. (overridable)
+umask: 0o002
+
+# Package version within this release version.
+release: 1
+
+# Section.
+section: default
+
+# Priority.
+priority: optional
+
+depends:
+  - openziti  # ziti CLI
+
+# Contents to add to the package.
+contents:
+  - dst: /lib/systemd/system/
+    src: ./dist/dist-packages/linux/openziti-controller/ziti-controller.service
+
+  - dst: /opt/openziti/etc/controller
+    type: dir
+    file_info:
+      mode: 0755
+
+  - dst: /opt/openziti/etc/controller/
+    src: ./dist/dist-packages/linux/openziti-controller/env
+    type: config|noreplace
+
+  - dst: /opt/openziti/etc/controller/
+    src: ./dist/dist-packages/linux/openziti-controller/entrypoint.bash
+
diff --git a/dist/dist-packages/linux/openziti-controller/entrypoint.bash b/dist/dist-packages/linux/openziti-controller/entrypoint.bash
new file mode 100755
index 000000000..2024e1f30
--- /dev/null
+++ b/dist/dist-packages/linux/openziti-controller/entrypoint.bash
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+#
+# this thin wrapper script for the OpenZiti Controller enables
+# - evaluating arguments from the env file
+# - future: bootstrapping a default run environment with PKI and initialized database
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# shellcheck disable=SC2068 # because we want to word-split args
+exec /opt/openziti/bin/ziti controller run $@
diff --git a/dist/dist-packages/linux/openziti-controller/env b/dist/dist-packages/linux/openziti-controller/env
new file mode 100644
index 000000000..7457e549b
--- /dev/null
+++ b/dist/dist-packages/linux/openziti-controller/env
@@ -0,0 +1,2 @@
+ZITI_CONTROLLER_RUN_ARGS="config.yml --log-formatter text --verbose"
+#PFXLOG_NO_JSON=true
diff --git a/dist/dist-packages/linux/openziti-controller/ziti-controller.service b/dist/dist-packages/linux/openziti-controller/ziti-controller.service
new file mode 100644
index 000000000..98a1fe952
--- /dev/null
+++ b/dist/dist-packages/linux/openziti-controller/ziti-controller.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenZiti Controller
+After=network-online.target
+
+[Service]
+Type=simple
+DynamicUser=yes
+StateDirectory=ziti-controller
+UMask=0007
+Restart=always
+RestartSec=3
+LimitNOFILE=65535
+EnvironmentFile=/opt/openziti/etc/controller/env
+ExecStart=/opt/openziti/etc/controller/entrypoint.bash ${ZITI_CONTROLLER_RUN_ARGS}
+
+[Install]
+WantedBy=multi-user.target