diff --git a/examples/postfix/default.nix b/examples/postfix/default.nix
index 6abd8980..5250d62c 100644
--- a/examples/postfix/default.nix
+++ b/examples/postfix/default.nix
@@ -22,50 +22,38 @@ nglib.makeSystem {
     in
     {
       config = {
-        dumb-init = {
-          enable = true;
-          type.services = { };
-        };
+        dinit.enable = true;
+
         init.services.postfix = {
-          shutdownOnExit = true;
-
-          ensureSomething.create."mailDir" = {
-            type = "directory";
-            mode = "755";
-            owner = "5000:5000";
-            persistent = true;
-            dst = "/var/mail/vhosts";
-          };
+          shutdownOnExit = false;
 
-          ensureSomething.create."postfixSpoolDir" = {
-            type = "directory";
-            mode = "750";
-            owner = "root:root";
-            persistent = false;
-            dst = "/var/spool/postfix/";
-          };
+          tmpfiles = with nglib.nottmpfiles.dsl; [
+            (d "/var/mail/vhosts" "0755" "5000" "5000" _ _)
+            (d "/var/lib/postfix/private/" "0755" "postfix" "postfix" _ _)
+          ];
         };
         init.services.dovecot = {
-          shutdownOnExit = true;
-
-          ensureSomething.create."dovecotSockets" = {
-            type = "directory";
-            mode = "755";
-            owner = "postgres:postgres";
-            persistent = false;
-            dst = "/var/spool/postfix/private/";
-          };
+          shutdownOnExit = false;
+
+          dependencies = [
+            "postfix"
+          ];
         };
         init.services.postgresql = {
-          shutdownOnExit = true;
-
-          ensureSomething.create."postfixRunSocket" = {
-            type = "directory";
-            mode = "755";
-            owner = "postgres:postgres";
-            persistent = false;
-            dst = "/var/spool/postfix/run/postgresql/";
-          };
+          shutdownOnExit = false;
+
+          dependencies = [
+            "postfix"
+          ];
+
+          supplementaryGroups = [
+            "postfix"
+          ];
+
+          tmpfiles = with nglib.nottmpfiles.dsl; [
+            (d "/var/lib/postfix/run" "0775" "postfix" "postfix" _ _)
+            (d "/var/lib/postfix/run/postgresql" "0775" "postfix" "postfix" _ _)
+          ];
         };
 
         services.postgresql = {
@@ -73,7 +61,7 @@ nglib.makeSystem {
           package = pkgs.postgresql_17;
 
           config = {
-            unix_socket_directories = "/run/postgresql/, /var/spool/postfix/run/postgresql/";
+            unix_socket_directories = "/run/postgresql/, /var/lib/postfix/run/postgresql/";
           };
 
           initialScript = pkgs.writeText "init.sql" ''
@@ -164,7 +152,7 @@ nglib.makeSystem {
             protocol."lmtp" = { };
 
             service."lmtp" = {
-              unix_listener."/var/spool/postfix/private/dovecot-lmtp" = {
+              unix_listener."/var/lib/postfix/private/dovecot-lmtp" = {
                 mode = "0600";
                 user = "postfix";
                 group = "postfix";
@@ -172,7 +160,7 @@ nglib.makeSystem {
             };
 
             service."auth" = {
-              unix_listener."/var/spool/postfix/private/auth" = {
+              unix_listener."/var/lib/postfix/private/auth" = {
                 mode = "0666";
                 user = "postfix";
                 group = "postfix";
@@ -284,7 +272,7 @@ nglib.makeSystem {
             virtual_uid_maps = "static:5000";
             virtual_gid_maps = "static:5000";
 
-            virtual_transport = "lmtp:unix:/var/spool/postfix/private/dovecot-lmtp";
+            virtual_transport = "lmtp:unix:/var/lib/postfix/private/dovecot-lmtp";
           };
         };
       };
diff --git a/lib/default.nix b/lib/default.nix
index 42409550..41b7066d 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -71,11 +71,11 @@ let
 
     maybeChangeUserAndGroup =
       user: group: supp: script:
-      if user != null then
+      if supp != [] then
         let
           group' = if group != null then "${group}" else ":";
         in
-        "setgroups ${user} ${group'} :${lib.concatStringsSep ":" supp} ${script}"
+        "setgroups ${if user == null then "root" else user} ${group'} :${lib.concatStringsSep ":" supp} ${script}"
       else
         script;
 
diff --git a/modules/services/postfix.nix b/modules/services/postfix.nix
index e362c646..923ea47a 100644
--- a/modules/services/postfix.nix
+++ b/modules/services/postfix.nix
@@ -413,42 +413,21 @@ in
       };
     };
 
-    init.services.postfix =
-      let
-        mainCnf = pkgs.writeText "main.cf" (toMainCnf cfg.mainConfig);
-        masterCnf = pkgs.writeText "master.cf" cfg.masterConfig;
-        configDir = pkgs.runCommand "postfix-config-dir" { } ''
-          mkdir -p $out
-          ln -s ${mainCnf} $out/main.cf
-          ln -s ${masterCnf} $out/master.cf
-        '';
-      in
-      {
-        ensureSomething.create."data" = lib.mkDefault {
-          type = "directory";
-          mode = "750";
-          owner = "${cfg.user}:${cfg.group}";
-          dst = cfg.mainConfig.data_directory;
-          persistent = true;
-        };
-
-        ensureSomething.create."queue" = lib.mkDefault {
-          type = "directory";
-          mode = "750";
-          owner = "${cfg.user}:root";
-          dst = cfg.mainConfig.queue_directory;
-          persistent = false;
-        };
+    environment.etc."postfix/main.cf".source = pkgs.writeText "main.cf" (toMainCnf cfg.mainConfig);
+    environment.etc."postfix/master.cf".source = pkgs.writeText "master.cf" cfg.masterConfig;
 
-        script = pkgs.writeShellScript "postfix-run" ''
-          echo asd
+    init.services.postfix = {
+      tmpfiles = with nglib.nottmpfiles.dsl; [
+        (d cfg.mainConfig.data_directory "0750" cfg.user cfg.group _ _)
+        (d cfg.mainConfig.queue_directory "0750" cfg.user cfg.group _ _)
+      ];
 
-          mkdir -p /etc/postfix/
-          ${cfg.package}/bin/postfix -c ${configDir} set-permissions
-          ${cfg.package}/libexec/postfix/master -c ${configDir}
-        '';
-        enabled = true;
-      };
+      script = pkgs.writeShellScript "postfix-run" ''
+        ${cfg.package}/bin/postfix -c /etc/postfix set-permissions
+        ${cfg.package}/libexec/postfix/master -c /etc/postfix
+      '';
+      enabled = true;
+    };
     assertions = [
       {
         assertion = createDefaultUsersGroups;
diff --git a/modules/services/postgresql.nix b/modules/services/postgresql.nix
index 36ce42ca..daff650c 100644
--- a/modules/services/postgresql.nix
+++ b/modules/services/postgresql.nix
@@ -14,11 +14,15 @@
   pkgs,
   lib,
   config,
+  nglib,
   ...
 }:
 let
   cfg = config.services.postgresql;
 
+  chpst =
+    nglib.maybeChangeUserAndGroup "postgres" "postgres" config.init.services."postgresql".supplementaryGroups;
+
   # BEGIN Copyright (c) 2003-2021 Eelco Dolstra and the Nixpkgs/NixOS contributors
   toStr =
     value:
@@ -407,7 +411,7 @@ in
            rm -f ${cfg.dataDir}/*.conf
 
            # Initialize the database
-           chpst -u postgres:postgres ${cfg.package}/bin/initdb -U ${cfg.superUser} ${lib.concatStringsSep " " cfg.initdbArgs}
+           ${chpst "${cfg.package}/bin/initdb -U ${cfg.superUser} ${lib.concatStringsSep " " cfg.initdbArgs}"}
 
            touch ${cfg.dataDir}/.first_startup
         fi
@@ -418,10 +422,10 @@ in
           "${cfg.dataDir}/recovery.conf"
         ''}
 
-        chpst -u postgres:postgres ${cfg.package}/bin/postgres &
+        ${chpst "${cfg.package}/bin/postgres &"}
         postgresql=$!
 
-        PSQL="chpst -u postgres:postgres ${cfg.package}/bin/psql --port=${cfg.port} --no-psqlrc"
+        PSQL="${chpst "${cfg.package}/bin/psql --port=${cfg.port} --no-psqlrc"}"
         while ! $PSQL -d postgres -c "" 2> /dev/null ; do
           if ! kill -0 "$postgresql"; then exit 1; fi
           sleep 0.1