diff --git a/hosts/freun-dev/secrets.nix b/hosts/freun-dev/secrets.nix
index de9ee98..caf6192 100644
--- a/hosts/freun-dev/secrets.nix
+++ b/hosts/freun-dev/secrets.nix
@@ -4,7 +4,6 @@
     (
       map (secret: { name = secret; value = { file = ../../secrets/${secret}.age; }; }) [
         "gotosocial"
-        "hastebin-tokens"
         "immich"
         "readeck"
         "storage-box-credentials"
@@ -23,5 +22,13 @@
         else
           "root";
     };
+    hastebin-tokens = {
+      file = ../../secrets/hastebin-tokens.age;
+      owner =
+        if (config.services.hastebin.enable) then
+          config.users.users.hastebin.name
+        else
+          "root";
+    };
   };
 }
diff --git a/modules/services/hastebin.nix b/modules/services/hastebin.nix
index e03b0d2..333c64d 100644
--- a/modules/services/hastebin.nix
+++ b/modules/services/hastebin.nix
@@ -37,6 +37,18 @@ in
       auth_tokens_file = secrets.hastebin-tokens.path;
     };
 
+    users.users.hastebin = {
+      isSystemUser = true;
+      group = "hastebin";
+    };
+
+    users.groups.hastebin = { };
+
+    systemd.services.hastebin.serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = "hastebin";
+    };
+
     services.webserver = {
       enable = lib.mkDefault true;
       vHosts.${fqdn} = {