diff --git a/.gitignore b/.gitignore
index 7bb4cbb..f86bd7d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,4 @@
 /.*.swp
-/*.src.rpm
 /kea-*.tar.gz
 /kea-*.tar.gz.asc
 /keama-*.tar.gz
diff --git a/kea-ctrl-agent.service b/kea-ctrl-agent.service
index b5c860c..f40396a 100644
--- a/kea-ctrl-agent.service
+++ b/kea-ctrl-agent.service
@@ -6,8 +6,11 @@ After=network-online.target
 After=time-sync.target
 
 [Service]
+User=kea
 ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
 Environment=KEA_PIDFILE_DIR=/var/run/kea
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target
diff --git a/kea-dhcp-ddns.service b/kea-dhcp-ddns.service
index 5fdbe0b..e252375 100644
--- a/kea-dhcp-ddns.service
+++ b/kea-dhcp-ddns.service
@@ -6,8 +6,11 @@ After=network-online.target
 After=time-sync.target
 
 [Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
 Environment=KEA_PIDFILE_DIR=/var/run/kea
+ExecReload=/bin/kill -HUP $MAINPID
 
 [Install]
 WantedBy=multi-user.target
diff --git a/kea-dhcp4.service b/kea-dhcp4.service
index 0a72768..eea0227 100644
--- a/kea-dhcp4.service
+++ b/kea-dhcp4.service
@@ -6,8 +6,11 @@ After=network-online.target
 After=time-sync.target
 
 [Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
 ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
 Environment=KEA_PIDFILE_DIR=/var/run/kea
+ExecReload=kill -HUP $MAINPID
 
 [Install]
 WantedBy=multi-user.target
diff --git a/kea-dhcp6.service b/kea-dhcp6.service
index e1fc05a..6911bee 100644
--- a/kea-dhcp6.service
+++ b/kea-dhcp6.service
@@ -6,8 +6,11 @@ After=network-online.target
 After=time-sync.target
 
 [Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
 Environment=KEA_PIDFILE_DIR=/var/run/kea
+ExecReload=/bin/kill -HUP $MAINPID
 
 [Install]
 WantedBy=multi-user.target
diff --git a/kea-tmpfiles.d.conf b/kea-tmpfiles.d.conf
deleted file mode 100644
index dcd2418..0000000
--- a/kea-tmpfiles.d.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# kea needs existing /run/kea/ to create logger_lockfile there
-# See tmpfiles.d(5) for details
-
-d /run/kea 0755 root root -
-
diff --git a/kea.spec b/kea.spec
index 5a3a695..d91669a 100644
--- a/kea.spec
+++ b/kea.spec
@@ -31,7 +31,8 @@ Source11:       kea-dhcp4.service
 Source12:       kea-dhcp6.service
 Source13:       kea-dhcp-ddns.service
 Source14:       kea-ctrl-agent.service
-Source15:       kea-tmpfiles.d.conf
+Source15:       systemd-tmpfiles.conf
+Source16:       systemd-sysusers.conf
 
 Patch1:         kea-openssl-version.patch
 Patch2:         kea-gtest.patch
@@ -84,6 +85,7 @@ BuildRequires: python3-devel
 # in case you ever wanted to use %%configure --enable-generate-docs
 #BuildRequires: elinks asciidoc plantuml
 BuildRequires: systemd
+BuildRequires: systemd-rpm-macros
 BuildRequires: python3-sphinx
 BuildRequires: python3-sphinx_rtd_theme
 BuildRequires: make
@@ -92,9 +94,8 @@ BuildRequires: gnupg2
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %upstream_name_compat %{upstream_name}
 Requires: util-linux
-Requires(post): systemd
-Requires(preun): systemd
-Requires(postun): systemd
+%{?systemd_requires}
+%{?sysusers_requires_compat}
 
 %description
 DHCP implementation from Internet Systems Consortium, Inc. that features fully
@@ -239,6 +240,9 @@ install -Dpm 0644 %{S:12} %{buildroot}%{_unitdir}/kea-dhcp6.service
 install -Dpm 0644 %{S:13} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service
 install -Dpm 0644 %{S:14} %{buildroot}%{_unitdir}/kea-ctrl-agent.service
 
+# systemd-sysusers
+install -p -D -m 0644 %{S:16} %{buildroot}%{_sysusersdir}/kea.conf
+
 # Start empty lease databases
 mkdir -p %{buildroot}%{_sharedstatedir}/kea/
 touch %{buildroot}%{_sharedstatedir}/kea/kea-leases4.csv
@@ -253,6 +257,9 @@ install -dm 0755 %{buildroot}/run/kea/
 install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
 
 
+%pre
+%sysusers_create_compat %{S:16}
+
 %post
 %systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
 
@@ -279,10 +286,10 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
 %{_sbindir}/perfdhcp
 %{_unitdir}/kea*.service
 %dir %{_sysconfdir}/kea/
-%config(noreplace) %{_sysconfdir}/kea/kea*.conf
+%config(noreplace) %attr(640,root,kea) %{_sysconfdir}/kea/kea*.conf
 %{_datarootdir}/kea
-%dir %{_sharedstatedir}/kea
-%config(noreplace) %{_sharedstatedir}/kea/kea-leases*.csv
+%dir %attr(750,kea,kea) %{_sharedstatedir}/kea
+%config(noreplace) %attr(640,kea,kea) %{_sharedstatedir}/kea/kea-leases*.csv
 %{python3_sitelib}/kea
 %{_mandir}/man8/kea-admin.8*
 %{_mandir}/man8/kea-ctrl-agent.8*
@@ -298,6 +305,7 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
 %{_mandir}/man8/perfdhcp.8*
 %dir /run/kea/
 %{_tmpfilesdir}/kea.conf
+%{_sysusersdir}/kea.conf
 
 %files doc
 %dir %{_pkgdocdir}
diff --git a/systemd-sysusers.conf b/systemd-sysusers.conf
new file mode 100644
index 0000000..bb7250b
--- /dev/null
+++ b/systemd-sysusers.conf
@@ -0,0 +1,2 @@
+g kea -
+u kea -:kea "Kea DHCP Server" /var/lib/kea
diff --git a/systemd-tmpfiles.conf b/systemd-tmpfiles.conf
new file mode 100644
index 0000000..81544fd
--- /dev/null
+++ b/systemd-tmpfiles.conf
@@ -0,0 +1,4 @@
+# kea needs existing /run/kea/ to create logger_lockfile and pidfile there
+# See tmpfiles.d(5) for details
+
+d /run/kea 0755 kea kea -