diff --git a/nixlets/attic/deployment.nix b/nixlets/attic/deployment.nix
index b76d58e..9435131 100644
--- a/nixlets/attic/deployment.nix
+++ b/nixlets/attic/deployment.nix
@@ -3,15 +3,26 @@
   lib,
   ...
 }: {
-  kubernetes.resources = {
-    deployments."${values.uniqueName}" = {
+  kubernetes.resources = let
+    # switch to a StatefulSet if we don't use an external storage configuration
+    type =
+      if values.externalStorage
+      then "deployments"
+      else "statefulSets";
+  in {
+    ${type}."${values.uniqueName}" = {
       spec = {
         replicas = values.replicaCount;
         selector.matchLabels.app = "${values.uniqueName}";
+        serviceName = "attic";
         template = {
           metadata.labels.app = "${values.uniqueName}";
           spec = {
-            securityContext.fsGroup = 1000;
+            securityContext = {
+              fsGroup = 1000;
+              runAsUser = 1000;
+              runAsGroup = 1000;
+            };
             containers."api-server" = {
               image = "${values.image.repository}:${values.image.tag}";
               imagePullPolicy = values.image.pullPolicy;