diff --git a/hosts/pie/paperless.nix b/hosts/pie/paperless.nix
index 5799a78..8874e76 100644
--- a/hosts/pie/paperless.nix
+++ b/hosts/pie/paperless.nix
@@ -101,12 +101,13 @@ in {
   age.secrets."hosting-de-invoice-sync-api-key" = {
     file = "${flake.self}/secrets/hosting-de-invoice-sync-api-key.age";
     mode = "400";
+    owner = psCfg.user.name;
   };
 
   services.cron = {
     enable = true;
     systemCronJobs = [
-      "30 1 * * * root ${pkgs.fetch-hostingde-invoices}/bin/fetch-hostingde-invoices '${config.age.secrets."hosting-de-invoice-sync-api-key".path}' '${consumptionDir}'"
+      "30 1 * * * ${psCfg.user.name} ${pkgs.fetch-hostingde-invoices}/bin/fetch-hostingde-invoices '${config.age.secrets."hosting-de-invoice-sync-api-key".path}' '${consumptionDir}'"
     ];
   };
 
@@ -116,6 +117,7 @@ in {
 
   systemd.tmpfiles.rules = [
     "d '${backupDir}' 0700 ${psCfg.user.name} users - -"
+    "d /tmp/paperless 0700 ${psCfg.user.name} users - -"
   ];
 
   age.secrets."rclone-pie.conf" = {
diff --git a/pkgs/fetch-hostingde-invoices/default.nix b/pkgs/fetch-hostingde-invoices/default.nix
index 45e810e..cf710bd 100644
--- a/pkgs/fetch-hostingde-invoices/default.nix
+++ b/pkgs/fetch-hostingde-invoices/default.nix
@@ -3,15 +3,13 @@ self: self.deno2nix.mkExecutable {
   version = "0.1.0";
 
   src = ./.;
-  bin = "simple";
+  bin = "fetch-hostingde-invoices";
 
   entrypoint = "./main.ts";
   lockfile = "./deno.lock";
   config = "./deno.json";
 
   allow = {
-    write = true;
-    env = "HOSTINGDE_API_KEY";
-    net = true;
+    all = true;
   };
 }