diff --git a/integration-tests/basic/default.nix b/integration-tests/basic/default.nix
index 0c4fc6d..7ab9476 100644
--- a/integration-tests/basic/default.nix
+++ b/integration-tests/basic/default.nix
@@ -5,7 +5,7 @@ let
   serverConfigFile = config.nodes.server.services.atticd.configFile;
 
   cmd = {
-    atticadm = ". /etc/atticd.env && export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 && atticadm -f ${serverConfigFile}";
+    atticadm = "atticd-atticadm";
     atticd = ". /etc/atticd.env && export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 && atticd -f ${serverConfigFile}";
   };
 
@@ -129,6 +129,8 @@ in {
           };
         };
 
+        environment.systemPackages = [ pkgs.attic-server ];
+
         networking.firewall.allowedTCPPorts = [ 8080 ];
       };
 
diff --git a/nixos/atticd.nix b/nixos/atticd.nix
index d974f20..22ca670 100644
--- a/nixos/atticd.nix
+++ b/nixos/atticd.nix
@@ -21,6 +21,20 @@ let
     cat <$configFile >$out
   '';
 
+  atticadmWrapper = pkgs.writeShellScriptBin "atticd-atticadm" ''
+    exec systemd-run \
+      --pty \
+      --same-dir \
+      --wait \
+      --collect \
+      --service-type=exec \
+      --property=EnvironmentFile=${cfg.credentialsFile} \
+      --property=DynamicUser=yes \
+      --property=User=atticd \
+      -- \
+      ${cfg.package}/bin/atticadm -f ${checkedConfigFile} "$@"
+  '';
+
   hasLocalPostgresDB = let
     url = cfg.settings.database.url;
     localStrings = [ "localhost" "127.0.0.1" "/run/postgresql" ];
@@ -129,7 +143,7 @@ in
         };
       };
 
-      environment.systemPackages = [ cfg.package ];
+      environment.systemPackages = [ atticadmWrapper ];
     }
     (lib.mkIf cfg.useFlakeCompatOverlay {
       nixpkgs.overlays = [ overlay ];