diff --git a/config/service/letsencrypt/Containerfile b/config/service/letsencrypt/Containerfile
index 4146ead..705222f 100644
--- a/config/service/letsencrypt/Containerfile
+++ b/config/service/letsencrypt/Containerfile
@@ -1,6 +1 @@
 FROM docker.io/goacme/lego:v4.4.0
-
-RUN addgroup --system --gid 10000 letsencrypt
-RUN adduser --system --uid 10000 --ingroup letsencrypt --home /var/lib/letsencrypt letsencrypt
-
-USER letsencrypt
diff --git a/config/service/prosody/Containerfile b/config/service/prosody/Containerfile
index 841f6d4..3d6df96 100644
--- a/config/service/prosody/Containerfile
+++ b/config/service/prosody/Containerfile
@@ -19,7 +19,5 @@ RUN prosodyctl check config
 VOLUME /var/lib/prosody
 ENV __FLUSH_LOG yes
 
-USER prosody
 EXPOSE 5222 5269 5280 5347
-
 ENTRYPOINT ["prosody"]
diff --git a/config/service/prosody/container/config/prosody.cfg.lua b/config/service/prosody/container/config/prosody.cfg.lua
index cfbfe0c..965fb12 100644
--- a/config/service/prosody/container/config/prosody.cfg.lua
+++ b/config/service/prosody/container/config/prosody.cfg.lua
@@ -25,6 +25,10 @@ admins = {}
 -- For more information see: https://prosody.im/doc/libevent
 use_libevent = true
 
+-- Run Prosody under a restricted user and group, to prevent runaway permissions.
+prosody_user = "prosody"
+prosody_group = "prosody"
+
 -- Prosody will always look in its source directory for modules, but
 -- this option allows you to specify additional locations where Prosody
 -- will look for modules first. For community modules, see https://modules.prosody.im/