diff --git a/configuration/default.nix b/configuration/default.nix
index a00235b..1bbb6bb 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -1,8 +1,12 @@
 { config, pkgs, ... }:
 
 {
-  imports =
-    [ ./services/gitea.nix ./services/nextcloud.nix ./services/webserver.nix ];
+  imports = [
+    ./services/gitea.nix
+    ./services/nextcloud.nix
+    ./services/webserver.nix
+    ./ids.nix
+  ];
 
   nix = {
     package = pkgs.nixFlakes;
diff --git a/configuration/ids.nix b/configuration/ids.nix
new file mode 100644
index 0000000..895b976
--- /dev/null
+++ b/configuration/ids.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  ids.uids = {
+    # System user ids start at 400 (see nixos/modules/programs/shadow.nix)
+    webserver = 400;
+    # The limit is 999
+  };
+}
diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix
index 1a182e2..e1c396d 100644
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@@ -1,6 +1,12 @@
 { config, pkgs, ... }:
 
 {
+  users.extraUsers.webserver = {
+    uid = config.ids.uids.webserver;
+    isSystemUser = true;
+    description = "tlater.net web server user";
+  };
+
   virtualisation.oci-containers.containers.webserver = {
     image = "tlaternet/webserver";
 
@@ -9,18 +15,24 @@
       tag = "latest";
       contents = pkgs.tlaternet-webserver.webserver;
 
-      config = {
+      config = let
+        user = config.users.extraUsers.webserver;
+        group = config.users.groups.${user.group};
+        uid = toString user.uid;
+        gid = toString group.gid;
+      in {
         Cmd = [ "tlaternet-webserver" ];
         Volumes = { "/srv/mail" = { }; };
         Env = [
-          "ROCKET_PORT=80"
+          "ROCKET_PORT=3002"
           "ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
         ];
-        ExposedPorts = { "80" = { }; };
+        ExposedPorts = { "3002" = { }; };
+        User = "${uid}:${gid}";
       };
     };
 
-    ports = [ "3002:80" ];
+    ports = [ "3002:3002" ];
     volumes = [ "tlaternet-mail:/srv/mail" ];
     extraOptions = [ "--hostname=tlater.net" ];
   };
diff --git a/flake.nix b/flake.nix
index 39f32f8..2d4d3f8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -30,6 +30,7 @@
             tlaternet-webserver.legacyPackages.${prev.system}.packages;
           tlaternet-templates =
             tlaternet-templates.legacyPackages.${prev.system}.packages;
+          local = import ./pkgs { pkgs = prev; };
         })
       ];