diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index bcb04001e..7427daa05 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -77,7 +77,7 @@ jobs:
           cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }}
 
       - name: Scan image with Trivy
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         env:
           TRIVY_SHOW_SUPPRESSED: 1
           TRIVY_IGNOREFILE: "./.trivyignore.yaml"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 356bed30f..5eeb05a6b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -60,7 +60,7 @@ jobs:
         uses: mozilla-actions/sccache-action@v0.0.9
 
       - name: Scan code with Trivy
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         env:
           TRIVY_SHOW_SUPPRESSED: 1
           TRIVY_IGNOREFILE: "./.trivyignore.yaml"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 14825e0e1..5cb199457 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -148,45 +148,83 @@ jobs:
         with:
           fpm_args:
             "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard
-            defguard.service=/usr/lib/systemd/system/defguard.service
+            linux/defguard.service=/usr/lib/systemd/system/defguard.service
             .env.example=/etc/defguard/core.conf"
-          fpm_opts: "--architecture amd64 --output-type deb --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb"
+          fpm_opts:
+            "--architecture amd64
+            --output-type deb
+            --version ${{ env.VERSION }}
+            --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build aarch64 DEB package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard
-            defguard.service=/usr/lib/systemd/system/defguard.service
+            linux/defguard.service=/usr/lib/systemd/system/defguard.service
             .env.example=/etc/defguard/core.conf"
-          fpm_opts: "--architecture arm64 --output-type deb --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb"
+          fpm_opts:
+            "--architecture arm64
+            --output-type deb
+            --version ${{ env.VERSION }}
+            --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build x86_64 RPM package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard
-            defguard.service=/usr/lib/systemd/system/defguard.service
+            linux/defguard.service=/usr/lib/systemd/system/defguard.service
             .env.example=/etc/defguard/core.conf"
-          fpm_opts: "--architecture amd64 --output-type rpm --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm"
+          fpm_opts:
+            "--architecture amd64
+            --output-type rpm
+            --version ${{ env.VERSION }}
+            --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build aarch64 RPM package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard
-            defguard.service=/usr/lib/systemd/system/defguard.service
+            linux/defguard.service=/usr/lib/systemd/system/defguard.service
             .env.example=/etc/defguard/core.conf"
-          fpm_opts: "--architecture arm64 --output-type rpm --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm"
+          fpm_opts:
+            "--architecture arm64
+            --output-type rpm
+            --version ${{ env.VERSION }}
+            --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm
+            --before-install linux/preinst
+            --after-install linux/postinst
+            --before-remove linux/prerm
+            --after-remove linux/postrm"
 
       - name: Build FreeBSD package
         uses: defGuard/fpm-action@main
         with:
           fpm_args:
             "defguard-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard
-            defguard.service.freebsd=/usr/local/etc/rc.d/defguard
+            freebsd/defguard=/usr/local/etc/rc.d/defguard
             .env.example=/etc/defguard/core.conf"
-          fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg --freebsd-osversion '*' --depends openssl"
+          fpm_opts:
+            "--architecture amd64
+            --output-type freebsd
+            --version ${{ env.VERSION }}
+            --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
+            --freebsd-osversion '*'
+            --depends openssl"
 
       - name: Upload Linux x86_64 archive
         uses: shogo82148/actions-upload-release-asset@v1
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 3f2fb166a..00d6546a7 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -35,7 +35,7 @@ jobs:
           submodules: recursive
 
       - name: Create SBOM with Trivy
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: 'fs'
           format: 'spdx-json'
@@ -46,7 +46,7 @@ jobs:
           skip-dirs: "e2e"
 
       - name: Create Docker image SBOM with Trivy
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'
@@ -56,7 +56,7 @@ jobs:
           scanners: "vuln"
 
       - name: Create security advisory file with Trivy
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: 'fs'
           format: 'json'
@@ -67,7 +67,7 @@ jobs:
           skip-dirs: "e2e"
 
       - name: Create docker image security advisory file with Trivy
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'
diff --git a/defguard.service.freebsd b/freebsd/defguard
old mode 100644
new mode 100755
similarity index 73%
rename from defguard.service.freebsd
rename to freebsd/defguard
index c8ae9118d..a4896f282
--- a/defguard.service.freebsd
+++ b/freebsd/defguard
@@ -9,12 +9,11 @@
 name="defguard"
 rcvar=defguard_enable
 command="/usr/local/bin/defguard"
-config="/etc/defguard/core.conf"
+defguard_env_file="/etc/defguard/core.conf"
 start_cmd="${name}_start"
 
-defguard_start()
-{
-  ${command} --config ${config} &
+defguard_start() {
+	${command} &
 }
 
 load_rc_config $name
diff --git a/defguard.service b/linux/defguard.service
similarity index 80%
rename from defguard.service
rename to linux/defguard.service
index 3ae5812ca..9cda51412 100644
--- a/defguard.service
+++ b/linux/defguard.service
@@ -5,8 +5,10 @@ Wants=network-online.target
 After=network-online.target
 
 [Service]
-DynamicUser=yes
 User=defguard
+Group=defguard
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 EnvironmentFile=/etc/defguard/core.conf
 ExecStart=/usr/bin/defguard
 KillMode=process
diff --git a/linux/postinst b/linux/postinst
new file mode 100644
index 000000000..a6b53045b
--- /dev/null
+++ b/linux/postinst
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+SERVICE_NAME='defguard'
+
+case "${1}" in
+1 | configure)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload
+		/usr/bin/systemctl enable ${SERVICE_NAME}
+		/usr/bin/systemctl --no-block start ${SERVICE_NAME}
+	fi
+	;;
+abort-upgrade | abort-remove | abort-deconfigure)
+	if [ -x /usr/bin/systemctl ]; then
+		/usr/bin/systemctl daemon-reload
+		if /usr/bin/systemctl is-enabled --quiet ${SERVICE_NAME}; then
+			/usr/bin/systemctl --no-block restart ${SERVICE_NAME}
+		fi
+	fi
+	;;
+esac
diff --git a/linux/postrm b/linux/postrm
new file mode 100644
index 000000000..2b473f8a3
--- /dev/null
+++ b/linux/postrm
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if [ -x /usr/bin/systemctl ]; then
+	/usr/bin/systemctl --quiet daemon-reload || true
+fi
+
+if id -u ${USERNAME} >/dev/null 2>&1; then
+	echo "If no longer needed, remove ${USERNAME} manually: userdel ${USERNAME}"
+fi
diff --git a/linux/preinst b/linux/preinst
new file mode 100755
index 000000000..6cc33233e
--- /dev/null
+++ b/linux/preinst
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+USERNAME=defguard
+
+if ! id -u ${USERNAME} >/dev/null 2>&1; then
+	useradd --system --user-group --no-create-home ${USERNAME}
+fi
+
+mkdir -p /etc/defguard
+chown -R ${USERNAME}:${USERNAME} /etc/defguard
+chmod 750 /etc/defguard
diff --git a/linux/prerm b/linux/prerm
new file mode 100644
index 000000000..f4827d39e
--- /dev/null
+++ b/linux/prerm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+SERVICE_NAME='defguard'
+
+if [ -x /usr/bin/systemctl ]; then
+	/usr/bin/systemctl --no-block --quiet stop ${SERVICE_NAME} || true
+fi