diff --git a/nixosModules/eko.nix b/nixosModules/eko.nix
index 19115a5..d4480e6 100644
--- a/nixosModules/eko.nix
+++ b/nixosModules/eko.nix
@@ -16,29 +16,31 @@
       ];
     };
 
-    # Make sure the "eko" user has access to /srv/eko
-    systemd.tmpfiles.rules = [
-      "d /srv/eko 0750 eko eko"
-    ];
-
     # Open port for the server to listen on
     networking.firewall.allowedTCPPorts = [ 7223 ];
 
     sops.secrets.eko-server-cert-key = { owner = "eko"; };
 
     systemd.services.eko = {
-      description = "Eko (a secure terminal-based social media)";
+      description = "Eko - a secure terminal-based social media";
 
       wants = [ "network-online.target" ];
       after = [ "network-online.target" ];
       wantedBy = [ "multi-user.target" ];
 
-      script = ''
-        cd /srv/eko
-        SERVER_CERT_KEY_FILE=${config.sops.secrets.eko-server-cert-key.path} ./eko-server --stdout
-      '';
-
       serviceConfig = {
+        Restart = "on-failure";
+        RestartSec = "10s";
+
+        Environment = "SERVER_CERT_KEY_FILE=${config.sops.secrets.eko-server-cert-key.path}";
+        ExecStart = "%S/eko/eko-server --logs /var/log/eko";
+
+        ConfigurationDirectory = "eko";
+        StateDirectory = "eko";
+        LogsDirectory = "eko";
+        WorkingDirectory = "%S/eko";
+        Type = "simple";
+
         User = "eko";
         Group = "eko";
 
@@ -48,8 +50,6 @@
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
         ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        ReadWritePaths = [ "/srv/eko" ];
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
@@ -58,9 +58,6 @@
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
-
-        Restart = "always";
-        RestartSec = "10s";
       };
     };
 
@@ -75,16 +72,6 @@
       grafana-alloy
     ];
 
-    users.groups.alloy = { };
-    users.users.alloy = {
-      createHome = false;
-      isNormalUser = true;
-      group = "alloy";
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbntLELS9l2auPVZtCtQ6KYQNka72qDbTdkDtX9rkyJ"
-      ];
-    };
     systemd.services.alloy = {
       description = "Alloy";
 
@@ -92,11 +79,15 @@
       after = [ "network-online.target" ];
       wantedBy = [ "multi-user.target" ];
 
+      reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) (
+        lib.filterAttrs (n: _: lib.hasPrefix "alloy/" n && lib.hasSuffix ".alloy" n) config.environment.etc
+      );
+
       serviceConfig = {
         Restart = "always";
         RestartSec = "2s";
 
-        User = "root";
+        User = "root"; # TODO: make these not root?
         Group = "root";
 
         SupplementaryGroups = [
@@ -109,13 +100,13 @@
         WorkingDirectory = "%S/alloy";
         Type = "simple";
 
-        ExecStart = "${lib.getExe pkgs.grafana-alloy} run /etc/alloy/config.alloy";
+        ExecStart = "${lib.getExe pkgs.grafana-alloy} run /etc/alloy/";
         ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
       };
     };
 
     environment.etc = {
-      "alloy/config.alloy".text = builtins.readFile ./eko-config.alloy;
+      "alloy/eko-config.alloy".text = builtins.readFile ./eko-config.alloy;
     };
 
   };