diff --git a/services/crowdsec.nix b/services/crowdsec.nix
index 5525638..654bb9e 100644
--- a/services/crowdsec.nix
+++ b/services/crowdsec.nix
@@ -49,6 +49,19 @@ in
 
   config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
 
+    # Static user/group for crowdsec. The vendored module relies on
+    # DynamicUser=true plus a chown hack in crowdsec-setup's ExecStartPre,
+    # which broke on stable's systemd because the dynamic user isn't
+    # visible to NSS at chown time. Declaring the user statically makes
+    # systemd use it (DynamicUser becomes a no-op) and chown succeeds.
+    users.users.crowdsec = {
+      isSystemUser = true;
+      group = "crowdsec";
+      home = "/var/lib/crowdsec";
+      description = "CrowdSec security agent";
+    };
+    users.groups.crowdsec = { };
+
     services.crowdsec = {
       enable = true;
       name = "fredos-mediaserver";
diff --git a/settings/locale.nix b/settings/locale.nix
index 8f4d460..3e1c58d 100644
--- a/settings/locale.nix
+++ b/settings/locale.nix
@@ -2,14 +2,9 @@
 { config, pkgs, lib, ... }:
 
 {
-# Set your time zone.
-#time.timeZone = "Europe/London";
-services.automatic-timezoned.enable = true;
-services.geoclue2 = {
-  enable = true;
-  enableDemoAgent = lib.mkForce true;
-  geoProviderUrl = "https://api.beacondb.net/v1/geolocate?key=geoclue";
-};
+# Static timezone — automatic-timezoned needs polkit rules to call timedate1
+# and was failing on every host. Override on the laptop if it ever moves.
+time.timeZone = "Europe/London";
 
 # Select internationalisation properties.
 i18n.defaultLocale = "en_GB.UTF-8";