diff --git a/contrib/systemd/yggdrasil.service b/contrib/systemd/yggdrasil.service
index f8c2dd22..f824cf02 100644
--- a/contrib/systemd/yggdrasil.service
+++ b/contrib/systemd/yggdrasil.service
@@ -6,16 +6,21 @@ After=network-online.target
 After=yggdrasil-default-config.service
 
 [Service]
+User=yggdrasil
 Group=yggdrasil
 ProtectHome=true
 ProtectSystem=true
 SyslogIdentifier=yggdrasil
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
 ExecStartPre=+-/sbin/modprobe tun
 ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 TimeoutStopSec=5
 
+# make sure /var/run/yggdrasil/ is created writable for the user.
+RuntimeDirectory=yggdrasil
+# the small list of admin capabilities we need to do our job
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
+
 [Install]
 WantedBy=multi-user.target
diff --git a/contrib/systemd/yggdrasil.sysusers b/contrib/systemd/yggdrasil.sysusers
new file mode 100644
index 00000000..1cea8959
--- /dev/null
+++ b/contrib/systemd/yggdrasil.sysusers
@@ -0,0 +1 @@
+u yggdrasil - "Yggdrasil network daemon"