diff --git a/playbooks/3_service/proxmox.yml b/playbooks/3_service/proxmox.yml
index 43760259..4daf123c 100644
--- a/playbooks/3_service/proxmox.yml
+++ b/playbooks/3_service/proxmox.yml
@@ -13,8 +13,7 @@
     - { role: mgrote.smart, tags: "smart" }
     - { role: mgrote.postfix, tags: "postfix" }
     - { role: mgrote.ecc-rasdaemon,
-        tags: "ecc",
-        when: "'pve2.grote.lan' in inventory_hostname" }
+        tags: "ecc" }
     - { role: mgrote.cv4pve-autosnap,
         tags: "cv4pve",
         when: "'pve2.grote.lan' in inventory_hostname" }
diff --git a/roles/mgrote.ecc-rasdaemon/defaults/main.yml b/roles/mgrote.ecc-rasdaemon/defaults/main.yml
new file mode 100644
index 00000000..d626de7c
--- /dev/null
+++ b/roles/mgrote.ecc-rasdaemon/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+  ### under which user the script is run
+  rasdaemon_user_group: "root"
+  rasdaemon_user: "rasdaemon"
diff --git a/roles/mgrote.ecc-rasdaemon/handlers/main.yml b/roles/mgrote.ecc-rasdaemon/handlers/main.yml
index 2083e2d9..16d11382 100644
--- a/roles/mgrote.ecc-rasdaemon/handlers/main.yml
+++ b/roles/mgrote.ecc-rasdaemon/handlers/main.yml
@@ -1,4 +1,4 @@
 ---
-  - name: labels
+  - name: guess-labels
     become: yes
     shell: '/usr/sbin/ras-mc-ctl --guess-labels >> /var/log/rasdaemon.log'
diff --git a/roles/mgrote.ecc-rasdaemon/tasks/main.yml b/roles/mgrote.ecc-rasdaemon/tasks/main.yml
index 9a2363ba..0c8519e2 100644
--- a/roles/mgrote.ecc-rasdaemon/tasks/main.yml
+++ b/roles/mgrote.ecc-rasdaemon/tasks/main.yml
@@ -1,48 +1,55 @@
 ---
-  - name: Install rasdaemon
+  - name: include user tasks
+    include_tasks: user.yml
+
+  - name: install rasdaemon
     become: true
     ansible.builtin.package:
       name:
         - rasdaemon
         - logrotate
       state: present
-    notify: labels
+    notify: guess-labels
 
-  - name: Enable rasdaemon service
+  - name: enable rasdaemon service
     become: true
     ansible.builtin.service:
       name: rasdaemon
       enabled: true
 
-  - name: Start rasdaemon service
+  - name: start rasdaemon service
     become: true
     ansible.builtin.service:
       name: rasdaemon
       state: started
 
-  - name: Create rasdaemon log
+  - name: create rasdaemon log
     become: true
     ansible.builtin.file:
       path: /var/log/rasdaemon.log
       state: touch
       access_time: preserve
       modification_time: preserve
+      owner: "{{ rasdaemon_user }}"
+      group: "{{ rasdaemon_user_group }}"
 
   - name: copy logrotate config
     become: yes
     ansible.builtin.template:
       src: logrotate_rasdaemon
       dest: /etc/logrotate.d/rasdaemon
-      owner: root
-      group: root
+      owner: "{{ rasdaemon_user }}"
+      group: "{{ rasdaemon_user_group }}"
       mode: 0644
 
-  - name: rasdaemon-cron kopieren
+  - name: copy rasdaemon-cron.sh
     become: yes
     ansible.builtin.template:
       src: rasdaemon-cron.sh
       dest: "/usr/local/bin/rasdaemon-cron.sh"
       mode: a+x
+      owner: "{{ rasdaemon_user }}"
+      group: "{{ rasdaemon_user_group }}"
 
   - name: create cronjob
     become: yes
@@ -52,3 +59,4 @@
       job: /usr/local/bin/rasdaemon-cron.sh
       minute: "5"
       hour: "4,8,12,16,20,0"
+      user: "{{ rasdaemon_user }}"
diff --git a/roles/mgrote.ecc-rasdaemon/tasks/user.yml b/roles/mgrote.ecc-rasdaemon/tasks/user.yml
new file mode 100644
index 00000000..4aa7cc3d
--- /dev/null
+++ b/roles/mgrote.ecc-rasdaemon/tasks/user.yml
@@ -0,0 +1,33 @@
+---
+  - name: ensure group exists
+    become: true
+    ansible.builtin.group:
+      name: "{{ rasdaemon_user_group }}"
+      state: present
+    when:
+      - rasdaemon_user_group is defined
+
+  - name: ensure user exists
+    become: true
+    ansible.builtin.user:
+      name: "{{ rasdaemon_user }}"
+      group: "{{ rasdaemon_user_group }}"
+      shell: /usr/sbin/nologin
+    when:
+      - rasdaemon_user_group is defined
+      - rasdaemon_user is defined
+
+  - name: add user to sudoers
+    become: true
+    ansible.builtin.blockinfile:
+      path: /etc/sudoers
+      state: present
+      block:  |
+        {{ rasdaemon_user }} ALL=(ALL) NOPASSWD:ALL
+      validate: '/usr/sbin/visudo -cf %s'
+      backup: yes
+      marker_begin: rasdaemon-sudoers
+      marker_end: rasdaemon-sudoers
+    when:
+      - rasdaemon_user_group is defined
+      - rasdaemon_user is defined
diff --git a/roles/mgrote.zfs_sanoid/tasks/user.yml b/roles/mgrote.zfs_sanoid/tasks/user.yml
index 42348674..933bbbae 100644
--- a/roles/mgrote.zfs_sanoid/tasks/user.yml
+++ b/roles/mgrote.zfs_sanoid/tasks/user.yml
@@ -26,6 +26,8 @@
         {{ sanoid_user }} ALL=(ALL) NOPASSWD:ALL
       validate: '/usr/sbin/visudo -cf %s'
       backup: yes
+      marker_begin: sanoid-sudoers
+      marker_end: sanoid-sudoers
     when:
       - sanoid_user_group is defined
       - sanoid_user is defined