diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix
index 85676d29f2b1c..bd4caf32d526e 100644
--- a/nixos/modules/services/networking/murmur.nix
+++ b/nixos/modules/services/networking/murmur.nix
@@ -6,7 +6,7 @@ let
   cfg = config.services.murmur;
   forking = cfg.logFile != null;
   configFile = pkgs.writeText "murmurd.ini" ''
-    database=/var/lib/murmur/murmur.sqlite
+    database=${cfg.stateDir}/murmur.sqlite
     dbDriver=QSQLITE
 
     autobanAttempts=${toString cfg.autobanAttempts}
@@ -69,6 +69,14 @@ in
         '';
       };
 
+      stateDir = mkOption {
+        type = types.str;
+        default = "/var/lib/murmur";
+        description = ''
+          Directory to store data for the server.
+        '';
+      };
+
       autobanAttempts = mkOption {
         type = types.int;
         default = 10;
@@ -291,7 +299,7 @@ in
   config = mkIf cfg.enable {
     users.users.murmur = {
       description     = "Murmur Service user";
-      home            = "/var/lib/murmur";
+      home            = cfg.stateDir;
       createHome      = true;
       uid             = config.ids.uids.murmur;
       group           = "murmur";
@@ -343,6 +351,7 @@ in
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
         ProtectSystem = "full";
+        ReadWritePaths = [ cfg.stateDir ];
         RestrictAddressFamilies = "~AF_PACKET AF_NETLINK";
         RestrictNamespaces = true;
         RestrictSUIDSGID = true;
@@ -386,9 +395,9 @@ in
 
         r ${config.environment.etc."os-release".source},
         r ${config.environment.etc."lsb-release".source},
-        owner rwk /var/lib/murmur/murmur.sqlite,
-        owner rw /var/lib/murmur/murmur.sqlite-journal,
-        owner r /var/lib/murmur/,
+        owner rwk ${cfg.stateDir}/murmur.sqlite,
+        owner rw ${cfg.stateDir}/murmur.sqlite-journal,
+        owner r ${cfg.stateDir},
         r /run/murmur/murmurd.pid,
         r /run/murmur/murmurd.ini,
         r ${configFile},