diff --git a/flake.nix b/flake.nix
index 4d4c22f..9c94106 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,9 +38,26 @@
         config = {
           baseDomain = mkOption {
             type = types.str;
-            description = "Base domain";
+            description = "Base domain.";
           };
         };
+
+        users = mkOption {
+          type = types.attrsOf (types.submodule {
+            password = mkOption {
+              type = types.str;
+              default = null;
+              description = "API password for the user";
+            };
+          });
+          example = literalExpression ''
+            {
+              "exampleuser" = {
+                password = "insecure";
+              };
+            }
+          '';
+        };
       };
 
       config = mkIf cfg.enable {
@@ -50,7 +67,10 @@
           serviceConfig = let pkg = self.packages.${pkgs.system}.default;
           in {
             Restart = "on-failure";
-            ExecStart = "${pkg}/bin/norbert ${toINI cfg.config}";
+            ExecStart = "${pkg}/bin/norbert ${pkgs.writeText "config" generators.toINIWithGlobalSection {} {
+              globalSection = cfg.config;
+              sections = cfg.users;
+            }}";
             DynamicUser = "yes";
           };
         };