diff --git a/nixos/modules/services/web-servers/meguca.nix b/nixos/modules/services/web-servers/meguca.nix
index 6f3f5329dafc..8ae86c67a29f 100644
--- a/nixos/modules/services/web-servers/meguca.nix
+++ b/nixos/modules/services/web-servers/meguca.nix
@@ -11,7 +11,7 @@ in
 
     baseDir = mkOption {
       type = types.path;
-      default = "/var/lib/meguca";
+      default = "/run/meguca";
       description = "Location where meguca stores it's database and links.";
     };
 
@@ -21,6 +21,12 @@ in
       description = "Password for the meguca database.";
     };
 
+    passwordFile = mkOption {
+      type = types.path;
+      default = "/run/keys/meguca-password-file";
+      description = "Password file for the meguca database.";
+    };
+
     reverseProxy = mkOption {
       type = types.nullOr types.str;
       default = null;
@@ -40,17 +46,23 @@ in
     };
 
     cacheSize = mkOption {
-      type = types.nullOr types.str;
+      type = types.nullOr types.int;
       default = null;
       description = "Cache size in MB.";
     };
 
     postgresArgs = mkOption {
-      type = types.nullOr types.str;
-      default = null;
+      type = types.str;
+      default = "user=meguca password=" + cfg.password + " dbname=meguca sslmode=disable";
       description = "Postgresql connection arguments.";
     };
 
+    postgresArgsFile = mkOption {
+      type = types.path;
+      default = "/run/keys/meguca-postgres-args";
+      description = "Postgresql connection arguments file.";
+    };
+
     compressTraffic = mkOption {
       type = types.bool;
       default = false;
@@ -74,6 +86,16 @@ in
     security.sudo.enable = cfg.enable == true;
     services.postgresql.enable = cfg.enable == true;
 
+    services.meguca.passwordFile = mkDefault (toString (pkgs.writeTextFile {
+      name = "meguca-password-file";
+      text = cfg.password;
+    }));
+
+    services.meguca.postgresArgsFile = mkDefault (toString (pkgs.writeTextFile {
+      name = "meguca-postgres-args";
+      text = cfg.postgresArgs;
+    }));
+
     systemd.services.meguca = {
       description = "meguca";
       after = [ "network.target" "postgresql.service" ];
@@ -83,30 +105,43 @@ in
         # Ensure folder exists and links are correct or create them
         mkdir -p ${cfg.baseDir}
         ln -sf ${pkgs.meguca}/share/meguca/www ${cfg.baseDir}
-        chown -R meguca:meguca ${cfg.baseDir}
 
         # Ensure the database is correct or create it
-        ${pkgs.sudo}/bin/sudo -u ${postgres.superUser} ${postgres.package}/bin/createuser -SDR meguca || true
-        ${pkgs.sudo}/bin/sudo -u ${postgres.superUser} ${postgres.package}/bin/psql -c "ALTER ROLE meguca WITH PASSWORD '${cfg.password}';" || true
-        ${pkgs.sudo}/bin/sudo -u ${postgres.superUser} ${postgres.package}/bin/createdb -T template0 -E UTF8 -O meguca meguca || true
+        ${pkgs.sudo}/bin/sudo -u ${postgres.superUser} ${postgres.package}/bin/createuser \
+          -SDR meguca || true
+        ${pkgs.sudo}/bin/sudo -u ${postgres.superUser} ${postgres.package}/bin/psql \
+          -c "ALTER ROLE meguca WITH PASSWORD '$(cat ${cfg.passwordFile})';" || true
+        ${pkgs.sudo}/bin/sudo -u ${postgres.superUser} ${postgres.package}/bin/createdb \
+          -T template0 -E UTF8 -O meguca meguca || true
       '';
 
+    script = ''
+      cd ${cfg.baseDir}
+
+      ${pkgs.meguca}/bin/meguca -d "$(cat ${cfg.postgresArgsFile})"\
+        ${optionalString (cfg.reverseProxy != null) " -R ${cfg.reverseProxy}"}\
+        ${optionalString (cfg.sslCertificate != null) " -S ${cfg.sslCertificate}"}\
+        ${optionalString (cfg.listenAddress != null) " -a ${cfg.listenAddress}"}\
+        ${optionalString (cfg.cacheSize != null) " -c ${toString cfg.cacheSize}"}\
+        ${optionalString (cfg.compressTraffic) " -g"}\
+        ${optionalString (cfg.assumeReverseProxy) " -r"}\
+        ${optionalString (cfg.httpsOnly) " -s"} start
+    '';
+
       serviceConfig = {
         PermissionsStartOnly = true;
         Type = "forking";
         User = "meguca";
         Group = "meguca";
-        WorkingDirectory = "${cfg.baseDir}";
-        ExecStart = ''${pkgs.meguca}/bin/meguca${if cfg.reverseProxy != null then " -R ${cfg.reverseProxy}" else ""}${if cfg.sslCertificate != null then " -S ${cfg.sslCertificate}" else ""}${if cfg.listenAddress != null then " -a ${cfg.listenAddress}" else ""}${if cfg.cacheSize != null then " -c ${cfg.cacheSize}" else ""}${if cfg.postgresArgs != null then " -d  ${cfg.postgresArgs}" else ""}${if cfg.compressTraffic then " -g" else ""}${if cfg.assumeReverseProxy then " -r" else ""}${if cfg.httpsOnly then " -s" else ""} start'';
+        RuntimeDirectory = "meguca";
         ExecStop = "${pkgs.meguca}/bin/meguca stop";
-        ExecRestart = "${pkgs.meguca}/bin/meguca restart";
       };
     };
 
     users = {
       extraUsers.meguca = {
         description = "meguca server service user";
-        home = "${cfg.baseDir}";
+        home = cfg.baseDir;
         createHome = true;
         group = "meguca";
         uid = config.ids.uids.meguca;
@@ -119,5 +154,5 @@ in
     };
   };
 
-  meta.maintainers = [ maintainers.chiiruno ];
+  meta.maintainers = with maintainers; [ chiiruno ];
 }
diff --git a/pkgs/servers/meguca/default.nix b/pkgs/servers/meguca/default.nix
index 421a6b456a9a..a3f2d0f116a8 100644
--- a/pkgs/servers/meguca/default.nix
+++ b/pkgs/servers/meguca/default.nix
@@ -1,9 +1,10 @@
-{ stdenv, buildGoPackage, fetchgit, pkgconfig, ffmpeg-full, graphicsmagick, ghostscript, quicktemplate, go-bindata, easyjson, nodePackages, cmake, emscripten }:
+{ stdenv, buildGoPackage, fetchgit, pkgconfig, ffmpeg-full, graphicsmagick, ghostscript, quicktemplate,
+  go-bindata, easyjson, nodePackages, cmake, emscripten }:
 
 buildGoPackage rec {
   name = "meguca-unstable-${version}";
-  version = "2018-05-17";
-  rev = "3107c78d95de3b64556f761d3b6dcfd5c590e0ec";
+  version = "2018-05-20";
+  rev = "0432df41f30795cad5dc9d135ab620d5da7c7b04";
   goPackagePath = "github.com/bakape/meguca";
   goDeps = ./server_deps.nix;
   enableParallelBuilding = true;
@@ -13,7 +14,7 @@ buildGoPackage rec {
   src = fetchgit {
     inherit rev;
     url = "https://github.com/bakape/meguca";
-    sha256 = "1rvkr5af5d4rlyxylynnpn76hvxq9xd7j8q6mffn6qj6j5p4qg4p";
+    sha256 = "0fahk5ykpah14pwgmgiajps2y3pn96wa4z34rcphkwy549ycxxd0";
     fetchSubmodules = true;
   };
 
diff --git a/pkgs/servers/meguca/server_deps.nix b/pkgs/servers/meguca/server_deps.nix
index 6501b7cabb4f..645b0dddb8a3 100644
--- a/pkgs/servers/meguca/server_deps.nix
+++ b/pkgs/servers/meguca/server_deps.nix
@@ -194,8 +194,8 @@
     fetch = {
       type = "git";
       url = "https://go.googlesource.com/crypto";
-      rev = "21052ae46654ecf18dfdba0f7c12701a1e2b3164";
-      sha256 = "0wzi1knv181h6y8k3k7wlr7sw492pgxir4gyg2riavrk8c23y2s2";
+      rev = "1a580b3eff7814fc9b40602fd35256c63b50f491";
+      sha256 = "11adgxc6fzcb3dxr5v2g4nk6ggrz04qnx633hzgmzfh2wv3blgv7";
     };
   }
   {
@@ -203,8 +203,8 @@
     fetch = {
       type = "git";
       url = "https://go.googlesource.com/sys";
-      rev = "7db1c3b1a98089d0071c84f646ff5c96aad43682";
-      sha256 = "0z20mhdy3wiy53xch0fp49gv574qrs77fps5wxi12n57840s2jfr";
+      rev = "7c87d13f8e835d2fb3a70a2912c811ed0c1d241b";
+      sha256 = "03fhkng37rczqwfgah5hd7d373jps3hcfx79dmky2fh62yvpcyn3";
     };
   }
   {
@@ -212,8 +212,8 @@
     fetch = {
       type = "git";
       url = "https://go.googlesource.com/text";
-      rev = "7922cc490dd5a7dbaa7fd5d6196b49db59ac042f";
-      sha256 = "06sicjc24hv7v9p1l6psaq87w4lycx3mjixd6gsd1wnd4jhqvlnr";
+      rev = "5c1cf69b5978e5a34c5f9ba09a83e56acc4b7877";
+      sha256 = "03br8p1sb1ffr02l8hyrgcyib7ms0z06wy3v4r1dj2l6q4ghwzfs";
     };
   }
 ]