diff --git a/defaults/main.yml b/defaults/main.yml
index 891e522..133106b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,3 +38,6 @@ nginx__infrastructure_domain__enabled: true
 
 # disable this variable if you don't want to use our acmetool role to manage tls certificates
 nginx__acmetool_enabled: true
+
+nginx__user: 'www-data'
+nginx__group: 'www-data'
diff --git a/tasks/main.yml b/tasks/main.yml
index 5cc1960..1f297ec 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -6,6 +6,9 @@
 - name: Install nginx
   ansible.builtin.include_tasks: installation.yml
 
+- name: create nginx user and group
+  ansible.builtin.include_tasks: users.yml
+
 - name: Configure nginx
   ansible.builtin.include_tasks: nginx.yml
 
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
index 6fec803..9ea6ebe 100644
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@@ -1,8 +1,8 @@
 ---
 - name: Copy main nginx configuration file
   become: true
-  ansible.builtin.copy:
-    src: 'nginx/nginx.conf'
+  ansible.builtin.template:
+    src: 'templates/nginx/nginx.conf.j2'
     dest: '/etc/nginx/'
     owner: root
     group: root
diff --git a/tasks/users.yml b/tasks/users.yml
new file mode 100644
index 0000000..00a442c
--- /dev/null
+++ b/tasks/users.yml
@@ -0,0 +1,17 @@
+---
+- name: "create {{ nginx__group }} Group"
+  become: true
+  ansible.builtin.group:
+    name: "{{ nginx__group }}"
+    system: true
+    state: 'present'
+
+- name: "create {{ nginx__user }} user"
+  become: true
+  ansible.builtin.user:
+    name: "{{ nginx__user }}"
+    comment: "NGINX user"
+    home: '/var/www'
+    groups: "{{ nginx__group }}"
+    shell: '/usr/sbin/nologin'
+    system: true
diff --git a/files/nginx/nginx.conf b/templates/nginx/nginx.conf.j2
similarity index 94%
rename from files/nginx/nginx.conf
rename to templates/nginx/nginx.conf.j2
index 0bd67ce..71da32a 100644
--- a/files/nginx/nginx.conf
+++ b/templates/nginx/nginx.conf.j2
@@ -1,4 +1,5 @@
-user www-data;
+{{ ansible_managed | comment }}
+user {{ nginx__user }};
 worker_processes auto;
 pid /run/nginx.pid;
 error_log /var/log/nginx/error.log;
diff --git a/vars/main.yml b/vars/main.yml
index fbf5917..305ec8d 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,3 +1,3 @@
 ---
-playbook_version_number: 24  # should be int
+playbook_version_number: 25
 playbook_version_path: 'do1jlr.nginx_roles-ansible.version'