diff --git a/data.nix b/data.nix
index f014b39..868c04e 100644
--- a/data.nix
+++ b/data.nix
@@ -5,6 +5,11 @@ rec {
     gitea = 995;
     updaterbot-deployer = 501;
     updaterbot-deployee = 502;
+
+    # the underscore differentiates "our" user from the
+    # "upstream" user. We need a way to configure the uidgid,
+    # so creating users explicitly.
+    node_exporter = 503;
   };
 
   ports = {
diff --git a/modules/services/node_exporter/default.nix b/modules/services/node_exporter/default.nix
index d37bcde..c43e7c5 100644
--- a/modules/services/node_exporter/default.nix
+++ b/modules/services/node_exporter/default.nix
@@ -13,6 +13,18 @@
       enable = true;
       enabledCollectors = ["systemd" "processes"];
       port = myData.ports.exporters.node;
+      user = "node_exporter";
+      group = "node_exporter";
+    };
+
+    users.users.node_exporter = {
+      isSystemUser = true;
+      group = "node_exporter";
+      uid = myData.uidgid.node_exporter;
+    };
+
+    users.groups.node_exporter = {
+      gid = myData.uidgid.node_exporter;
     };
 
     mj.services.friendlyport.vpn.ports = [