diff --git a/hosts/by-name/servo/services/navidrome.nix b/hosts/by-name/servo/services/navidrome.nix
index 1e320b441..0933a08de 100644
--- a/hosts/by-name/servo/services/navidrome.nix
+++ b/hosts/by-name/servo/services/navidrome.nix
@@ -1,11 +1,8 @@
-{ ... }:
+{ lib, ... }:
 
 {
   sane.persist.sys.plaintext = [
-    # TODO: we don't have a static user allocated for navidrome!
-    # the chown would happen too early for us to set static perms
-    "/var/lib/private/navidrome"
-    # { user = "navidrome"; group = "navidrome"; directory = "/var/lib/private/navidrome"; }
+    { user = "navidrome"; group = "navidrome"; directory = "/var/lib/navidrome"; }
   ];
   services.navidrome.enable = true;
   services.navidrome.settings = {
@@ -18,6 +15,20 @@
     ScanSchedule = "@every 1h";
   };
 
+  systemd.services.navidrome.serviceConfig = {
+    # fix to use a normal user so we can configure perms correctly
+    DynamicUser = lib.mkForce false;
+    User = "navidrome";
+    Group = "navidrome";
+  };
+
+  users.groups.navidrome = {};
+
+  users.users.navidrome = {
+    group = "navidrome";
+    isSystemUser = true;
+  };
+
   services.nginx.virtualHosts."music.uninsane.org" = {
     forceSSL = true;
     enableACME = true;
diff --git a/hosts/common/ids.nix b/hosts/common/ids.nix
index 7146e97e4..c9cb1db44 100644
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -25,6 +25,8 @@
   sane.ids.signald.gid = 2403;
   sane.ids.mautrix-signal.uid = 2404;
   sane.ids.mautrix-signal.gid = 2404;
+  sane.ids.navidrome.uid = 2405;
+  sane.ids.navidrome.gid = 2405;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;