diff --git a/module.nix b/module.nix
index 22989b8..cf4ad60 100644
--- a/module.nix
+++ b/module.nix
@@ -2,12 +2,24 @@
 let
   cfg = config.services.pvv-calendar-bot;
   inherit (lib) mkDefault mkEnableOption mkPackageOption mkIf mkOption types mdDoc;
-in {
+in
+{
 
   options.services.pvv-calendar-bot = {
     enable = mkEnableOption (lib.mdDoc "Enable pvv-calendar-bot to post to matrix");
 
-    package = mkPackageOption pkgs "pvv-calendar-bot" {};
+    package = mkPackageOption pkgs "pvv-calendar-bot" { };
+
+    user = mkOption {
+      type = types.str;
+      default = "pvv-calendar-bot";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "pvv-calendar-bot";
+    };
+
     settings = {
       onCalendar = mkOption {
         type = types.str;
@@ -37,11 +49,22 @@ in {
         type = types.path;
         description = mdDoc "Path to secrets file that defines MATRIX_ACCESS_TOKEN";
       };
-
     };
   };
 
   config = mkIf cfg.enable {
+    users.users = mkIf (cfg.user == "pvv-calendar-bot") {
+      pvv-calendar-bot = {
+        description = "PVV Calendar Matrix Bot User";
+        isSystemUser = true;
+        group = cfg.group;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "pvv-calendar-bot") {
+      pvv-calendar-bot = { };
+    };
+
     systemd.timers."pvv-calendar-bot" = {
       wantedBy = [ "timers.target" ];
       timerConfig = {
@@ -51,25 +74,27 @@ in {
     };
 
     systemd.services."pvv-calendar-bot" = {
-      preStart = let
-        envFile = pkgs.writeText "pvv-calendar-bot-env" ''
-          MATRIX_URL=${cfg.settings.matrix.homeserver}
-          MATRIX_USER=${cfg.settings.matrix.user}
-          ANNOUNCEMENT_CHANNEL=${cfg.settings.matrix.channel}
-          MATRIX_TOKEN=@MATRIX_ACCESS_TOKEN@
-       '';
-      in ''
-        ${pkgs.replace-secret}/bin/replace-secret '@MATRIX_ACCESS_TOKEN@' ${cfg.settings.secretsFile} /run/pvv-calendar-bot/env
-      '';
+      preStart =
+        let
+          envFile = pkgs.writeText "pvv-calendar-bot-env" ''
+            MATRIX_URL=${cfg.settings.matrix.homeserver}
+            MATRIX_USER=${cfg.settings.matrix.user}
+            ANNOUNCEMENT_CHANNEL=${cfg.settings.matrix.channel}
+            MATRIX_TOKEN=@MATRIX_ACCESS_TOKEN@
+          '';
+        in
+        ''
+          install -Dm600 ${envFile} /run/pvv-calendar-bot/env
+          ${pkgs.replace-secret}/bin/replace-secret '@MATRIX_ACCESS_TOKEN@' ${cfg.settings.secretsFile} /run/pvv-calendar-bot/env
+        '';
 
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/pvv-calendar-bot";
         RuntimeDirectory = "pvv-calendar-bot";
-        DynamicUser = true;
         EnvironmentFile = [ "-/run/pvv-calendar-bot/env" ];
+        User = cfg.user;
+        Group = cfg.group;
       };
     };
-
   };
-
 }