diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index eebecf3c5dff..0bf1a1ba93d4 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -54,6 +54,10 @@
   Processes also now run as a dynamically allocated user by default instead of
   root.
 
+- `services.cgit` now runs as the cgit user by default instead of root.
+  This change requires granting access to the repositories to this user or
+  setting the appropriate one through `services.cgit.some-instance.user`.
+
 - `nvimpager` was updated to version 0.13.0, which changes the order of user and
   nvimpager settings: user commands in `-c` and `--cmd` now override the
   respective default settings because they are executed later.
diff --git a/nixos/modules/services/networking/cgit.nix b/nixos/modules/services/networking/cgit.nix
index 640c989aaf4c..cf4e137ae935 100644
--- a/nixos/modules/services/networking/cgit.nix
+++ b/nixos/modules/services/networking/cgit.nix
@@ -154,6 +154,18 @@ in
             type = types.lines;
             default = "";
           };
+
+          user = mkOption {
+            description = "User to run the cgit service as.";
+            type = types.str;
+            default = "cgit";
+          };
+
+          group = mkOption {
+            description = "Group to run the cgit service as.";
+            type = types.str;
+            default = "cgit";
+          };
         };
       }));
     };
@@ -165,8 +177,17 @@ in
       message = "Exactly one of services.cgit.${vhost}.scanPath or services.cgit.${vhost}.repos must be set.";
     }) cfgs;
 
+    users = mkMerge (flip mapAttrsToList cfgs (_: cfg: {
+      users.${cfg.user} = {
+        isSystemUser = true;
+        inherit (cfg) group;
+      };
+      groups.${cfg.group} = { };
+    }));
+
     services.fcgiwrap = flip mapAttrs' cfgs (name: cfg:
       nameValuePair "cgit-${name}" {
+        process = { inherit (cfg) user group; };
         socket = { inherit (config.services.nginx) user group; };
       }
     );
diff --git a/nixos/tests/cgit.nix b/nixos/tests/cgit.nix
index 6aed06adefdf..3107e7b964a3 100644
--- a/nixos/tests/cgit.nix
+++ b/nixos/tests/cgit.nix
@@ -23,7 +23,7 @@ in {
         nginx.location = "/(c)git/";
         repos = {
           some-repo = {
-            path = "/srv/git/some-repo";
+            path = "/tmp/git/some-repo";
             desc = "some-repo description";
           };
         };
@@ -50,12 +50,12 @@ in {
 
     server.fail("curl -fsS http://localhost/robots.txt")
 
-    server.succeed("${pkgs.writeShellScript "setup-cgit-test-repo" ''
+    server.succeed("sudo -u cgit ${pkgs.writeShellScript "setup-cgit-test-repo" ''
       set -e
-      git init --bare -b master /srv/git/some-repo
+      git init --bare -b master /tmp/git/some-repo
       git init -b master reference
       cd reference
-      git remote add origin /srv/git/some-repo
+      git remote add origin /tmp/git/some-repo
       date > date.txt
       git add date.txt
       git -c user.name=test -c user.email=test@localhost commit -m 'add date'