diff --git a/.goreleaser.yml b/.goreleaser.yml
index ae217ee557d93acdd9c500a42d3991b814f11cbd..7148ef61255638b24ca19d32bf089bc542b5a16e 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -52,6 +52,8 @@ nfpms:
         type: config
       - src: config/ntfy.service
         dst: /lib/systemd/system/ntfy.service
+      - dst: /var/cache/ntfy
+        type: dir
     scripts:
       postinstall: "scripts/postinst.sh"
       preremove: "scripts/prerm.sh"
diff --git a/Makefile b/Makefile
index 5a88647ec71c170cb03fe32954d1622040b50552..d4da687c12cfdc3f5432e3b6273ef2cb854e9dac 100644
--- a/Makefile
+++ b/Makefile
@@ -143,4 +143,4 @@ install:
 install-deb:
 	sudo systemctl stop ntfy || true
 	sudo apt-get purge ntfy || true
-	sudo dpkg -i dist/*.deb
+	sudo dpkg -i dist/ntfy_*_linux_amd64.deb
diff --git a/config/config.yml b/config/config.yml
index 89f8ad5583a7459d1871829973e48ed984eff77a..dec13fbb3c0ec6d4c84b4478e780791e5c259762 100644
--- a/config/config.yml
+++ b/config/config.yml
@@ -28,6 +28,9 @@
 # If set, messages are cached in a local SQLite database instead of only in-memory. This
 # allows for service restarts without losing messages in support of the since= parameter.
 #
+# Note: If you are running ntfy with systemd, make sure this cache file is owned by the
+#       ntfy user and group by running: chown ntfy.ntfy <filename>.
+#
 # cache-file: <filename>
 
 # Duration for which messages will be buffered before they are deleted.
diff --git a/config/ntfy.service b/config/ntfy.service
index 21acea505e8073a8b23198e923645b8983ed280d..77899517dea628e60686316a7bb9fa4d180dff4b 100644
--- a/config/ntfy.service
+++ b/config/ntfy.service
@@ -3,8 +3,11 @@ Description=ntfy server
 After=network.target
 
 [Service]
+User=ntfy
+Group=ntfy
 ExecStart=/usr/bin/ntfy
 Restart=on-failure
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 LimitNOFILE=10000
 
 [Install]
diff --git a/scripts/postinst.sh b/scripts/postinst.sh
index 0a09edbf5e2cd078e10e8a62ede41a43c5dcd451..2fa34e7c0664da0397420a562103cf7241bb349a 100755
--- a/scripts/postinst.sh
+++ b/scripts/postinst.sh
@@ -7,6 +7,21 @@ set -e
 # TODO: This is only tested on Debian.
 #
 if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then
+  # Create ntfy user/group
+  id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy
+  chown ntfy.ntfy /var/cache/ntfy
+  chmod 700 /var/cache/ntfy
+
+  # Hack to change permissions on cache file
+  configfile="/etc/ntfy/config.yml"
+  if [ -f "$configfile" ]; then
+    cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: (.+)/ && print $1')"
+    if [ -n "$cachefile" ]; then
+      chown ntfy.ntfy "$cachefile" || true
+    fi
+  fi
+
+  # Restart service
   systemctl --system daemon-reload >/dev/null || true
   if systemctl is-active -q ntfy.service; then
     echo "Restarting ntfy.service ..."
diff --git a/scripts/postrm.sh b/scripts/postrm.sh
index 1eac8a71a155fcc4a82918728057a1deb473b3e9..78db62e8d181c6c72d4753b197f768ab1f3edfc0 100755
--- a/scripts/postrm.sh
+++ b/scripts/postrm.sh
@@ -3,6 +3,8 @@ set -e
 
 # Delete the config if package is purged
 if [ "$1" = "purge" ]; then
-  echo "Deleting /etc/ntfy ..."
-  rm -rf /etc/ntfy || true
+  id ntfy >/dev/null 2>&1 && userdel ntfy
+  rm -f /etc/ntfy/config.yml
+  rmdir /etc/ntfy || true
 fi
+