diff --git a/modules/e11sync/default.nix b/modules/e11sync/default.nix
index f94142f..59209ce 100644
--- a/modules/e11sync/default.nix
+++ b/modules/e11sync/default.nix
@@ -6,11 +6,57 @@ e11sync-backend: {
   options.e11sync = with lib.types; {
     enable = lib.mkEnableOption "Enable e11sync";
     secretKeyPath = lib.mkOption {type = path;};
+    migrateOnStart = lib.mkOption {
+      type = bool;
+      default = false;
+    };
+    backendPort = lib.mkOption {
+      type = int;
+      default = 8002;
+    };
   };
 
-  config = lib.mkIf config.e11sync.enable {
-    environment.systemPackages = [
-      e11sync-backend
-    ];
-  };
+  config = let
+    cfg = config.e11sync;
+    pkg-backend = e11sync-backend.override {
+      inherit (cfg) backendPort;
+      databasePath = "/var/lib/e11sync/db.sqlite3";
+    };
+  in
+    lib.mkIf cfg.enable {
+      environment.systemPackages = [
+        pkg-backend
+      ];
+
+      systemd.services = {
+        e11sync-backend = {
+          description = "e11sync backend";
+          environment = {
+            TZ = "UTC";
+            E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
+          };
+          wantedBy = ["multi-user.target"];
+          serviceConfig =
+            {
+              Type = "notify";
+              NotifyAccess = "all";
+              Restart = "on-failure";
+              RuntimeDirectory = "e11sync";
+              StateDirectory = "e11sync";
+              WorkingDirectory = "/var/lib/e11sync";
+              LoadCredential = "secret_key:${cfg.secretKeyPath}";
+              ExecStart = "${pkg-backend}/bin/e11sync-backend";
+
+              DynamicUser = true;
+              NoNewPrivileges = true;
+              PrivateDevices = true;
+              ProtectKernelTunables = true;
+              ProtectControlGroups = true;
+            }
+            // lib.mkIf cfg.migrateOnStart {
+              ExecStartPre = "${pkg-backend}/bin/e11sync migrate";
+            };
+        };
+      };
+    };
 }
diff --git a/pkgs/e11sync-backend.nix b/pkgs/e11sync-backend.nix
index 9fdb87b..f1e8275 100644
--- a/pkgs/e11sync-backend.nix
+++ b/pkgs/e11sync-backend.nix
@@ -9,7 +9,7 @@
   dart-sass,
   uwsgi,
   backendPort ? 8002,
-  database-path ? null,
+  databasePath ? null,
   geoip-mmdb,
 }: let
   uwsgi-python = uwsgi.override {plugins = ["python3"];};
@@ -41,8 +41,8 @@ in
         --add-flags "--http-socket 127.0.0.1:${toString backendPort}" \
         --add-flags "--wsgi-file e11sync/wsgi.py" \
         --add-flags --master \
-        ${lib.optionalString (database-path != null) ''
-        --set E11SYNC_DATABASE_PATH "${database-path}" \
+        ${lib.optionalString (databasePath != null) ''
+        --set E11SYNC_DATABASE_PATH "${databasePath}" \
       ''} \
         --set E11SYNC_DEBUG "" \
         --set E11SYNC_COMPRESS_OFFLINE 1 \
diff --git a/vm.nix b/vm.nix
index 177689d..77c97be 100644
--- a/vm.nix
+++ b/vm.nix
@@ -1,5 +1,9 @@
 {pkgs, ...}: {
-  e11sync.enable = true;
+  e11sync = {
+    enable = true;
+    secretKeyPath = "/etc/super";
+    migrateOnStart = true;
+  };
 
   environment.systemPackages = with pkgs; [
     tmux