diff --git a/secrets/dcbot.age b/secrets/dcbot.age
new file mode 100644
index 0000000..8593d60
Binary files /dev/null and b/secrets/dcbot.age differ
diff --git a/secrets/default.nix b/secrets/default.nix
index 93ab03c..457129c 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -4,6 +4,10 @@
       file = ./transfer-sh.age;
       owner = "jsw";
     };
+    dcbot = {
+      file = ./dcbot.age;
+      owner = "dcbot";
+    };
     password.file = ./password.age;
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2dcf99d..0a8489e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -9,4 +9,5 @@ let
 in {
   "transfer-sh.age".publicKeys = systems;
   "password.age".publicKeys = systems;
+  "dcbot.age".publicKeys = systems;
 }
diff --git a/system/server/bot.nix b/system/server/bot.nix
index 2eaa2c0..1c37204 100644
--- a/system/server/bot.nix
+++ b/system/server/bot.nix
@@ -1,37 +1,61 @@
 {
-  inputs,
+  config,
   pkgs,
   lib,
+  inputs,
   ...
 }: let
   deno = lib.getExe pkgs.deno;
+  bash = lib.getExe pkgs.bash;
 
   mainDir = "/var/lib/dcbot/";
   programDir = mainDir + "program";
   dataDir = mainDir + "data";
+  denoDir = mainDir + "deno";
 
-  config = pkgs.writeText ".env" ''
-    config
-  '';
+  path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.typst pkgs.deno]);
 in {
-  systemd.services.dcbot = {
-    enable = true;
-    after = ["network.target"];
-    wantedBy = ["default.target"];
-    description = "Jsw's slaafje, discord bot.";
+  config = lib.mkIf config.niksos.server {
+    systemd.services.dcbot = {
+      enable = true;
+      after = ["network.target"];
+      wantedBy = ["default.target"];
+      description = "Jsw's slaafje, discord bot.";
 
-    preStart = ''
-      mkdir -p "${programDir}" "${dataDir}/"
+      environment = {
+        "DENO_DIR" = denoDir;
+        "PATH" = lib.mkForce path;
+      };
 
-      cp -r ${inputs.dcbot}/* "${programDir}/"
-      cp -r "${config}" "${programDir}/.env"
+      preStart = ''
+        export PATH=${path}
 
-      cd "${programDir}"
-      ${deno} i
-    '';
-    serviceConfig = {
-      StateDirectory = "dcbot";
-      ExecStart = "${deno} run -A ${programDir}/src/main.ts";
+        cd "${mainDir}"
+        chown -R dcbot:dcbot ${mainDir}* || echo
+        chmod -R 750 ${mainDir}* || echo
+
+        mkdir -p "${programDir}" "${dataDir}" "${denoDir}"
+        cp --no-preserve=mode,ownership -r ${inputs.dcbot}/* "${programDir}/"
+
+        rm "${dataDir}/.env"
+        ln -s "${config.age.secrets.dcbot.path}" "${dataDir}/.env"
+
+        cd "${programDir}"
+        DENO_DIR=${denoDir} deno i
+      '';
+
+      serviceConfig = {
+        StateDirectory = "dcbot";
+        ExecStart = "${bash} -c 'cd ${dataDir} && deno run -A ${programDir}/src/main.ts'";
+        User = "dcbot";
+        group = "dcbot";
+      };
+    };
+
+    users.groups."dcbot" = {};
+    users.users."dcbot" = {
+      group = "dcbot";
+      isSystemUser = true;
     };
   };
 }