diff --git a/server/service.nix b/server/service.nix
index d51065f..2cf213b 100644
--- a/server/service.nix
+++ b/server/service.nix
@@ -7,26 +7,19 @@ in
 {
   options.services.picture-frame-server = {
     enable = lib.mkEnableOption "enable picture-frame-server";
-    user = lib.mkOption {
-      type = lib.types.str;
-      default = "picture-frame-server";
-      description = ''
-        The user the server should run as
-      '';
-    };
-    group = lib.mkOption {
-      type = lib.types.str;
-      default = "picture-frame-server";
-      description = ''
-        The group the server should run as
-      '';
-    };
     imgDir = lib.mkOption {
       type = lib.types.str;
       description = ''
         Directory of images that the server will serve
       '';
     };
+    imgDirGroup = lib.mkOption {
+      type = lib.types.str;
+      description = ''
+        The group the server will run as a member of.
+        So the server can have read access to `imgDir`.
+      '';
+    };
     port = lib.mkOption {
       type = lib.types.int;
       default = 18450;
@@ -38,18 +31,17 @@ in
 
   config = lib.mkIf cfg.enable {
     nixpkgs.overlays = [ overlay ];
-    users.users.${cfg.user} = {
-      isSystemUser = true;
-      group = cfg.group;
-    };
-    users.groups.${cfg.group} = { };
     systemd.services.picture-frame-server = {
       enable = true;
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      serviceConfig.ExecStart = "${pkgs.picture-frame.server}/bin/server ${toString cfg.port} ${cfg.imgDir}";
-      serviceConfig.User = cfg.user;
-      serviceConfig.Group = cfg.group;
+      serviceConfig = {
+        ExecStart = "${pkgs.picture-frame.server}/bin/server ${toString cfg.port} ${cfg.imgDir}";
+        DynamicUser = true;
+        PrivateTmp = true;
+        User = "picture-frame-server";
+        SupplementaryGroups = [ cfg.imgDirGroup ];
+      };
     };
   };
 }