diff --git a/flake.nix b/flake.nix
index 4d4c22f..a9005af 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,8 +38,40 @@
         config = {
           baseDomain = mkOption {
             type = types.str;
-            description = "Base domain";
+            description = "Base domain.";
           };
+
+          dnsPort = mkOption {
+            type = types.port;
+            description = "DNS server port";
+            default = 15353;
+          };
+
+          apiPort = mkOption {
+            type = types.port;
+            description = "API port";
+            default = 18000;
+          };
+        };
+
+        users = mkOption {
+          default = {};
+          type = types.attrsOf (types.submodule {
+            options = {
+              password = mkOption {
+                type = types.str;
+                default = null;
+                description = "API password for the user";
+              };
+            };
+          });
+          example = literalExpression ''
+            {
+              "exampleuser" = {
+                password = "insecure";
+              };
+            }
+          '';
         };
       };
 
@@ -50,8 +82,12 @@
           serviceConfig = let pkg = self.packages.${pkgs.system}.default;
           in {
             Restart = "on-failure";
-            ExecStart = "${pkg}/bin/norbert ${toINI cfg.config}";
+            ExecStart = "${pkg}/bin/norbert ${pkgs.writeText "config" (generators.toINIWithGlobalSection {} {
+              globalSection = cfg.config;
+              sections = cfg.users;
+            })}";
             DynamicUser = "yes";
+            AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
           };
         };
       };