diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index cd43825..b38ba82 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -58,6 +58,8 @@
     ddns-updater-config = {
       file = ../secrets/ddns-updater-config.age;
       mode = "0400";
+      owner = "ddns-updater";
+      group = "ddns-updater";
     };
 
     jellyfin-api-key = {
diff --git a/services/ddns-updater.nix b/services/ddns-updater.nix
index 9b145c9..aba9402 100644
--- a/services/ddns-updater.nix
+++ b/services/ddns-updater.nix
@@ -1,5 +1,6 @@
 {
   config,
+  lib,
   ...
 }:
 {
@@ -11,4 +12,16 @@
       CONFIG_FILEPATH = config.age.secrets.ddns-updater-config.path;
     };
   };
+
+  users.users.ddns-updater = {
+    isSystemUser = true;
+    group = "ddns-updater";
+  };
+  users.groups.ddns-updater = { };
+
+  systemd.service.ddns-updater.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "ddns-updater";
+    Group = "ddns-updater";
+  };
 }