diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml
index 60b4a3bc17b..ef2b1d34189 100644
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@@ -161,6 +161,17 @@
       The <literal>hunspellDicts.fr-any</literal> dictionary now ships with <literal>fr_FR.{aff,dic}</literal>
       which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>.
     </para>
+  </listitem>
+  <listitem>
+    <para>
+      The <literal>mysql</literal> service now runs as <literal>mysql</literal>
+      user. Previously, systemd did execute it as root, and mysql dropped privileges
+      itself.
+      This includes <literal>ExecStartPre=</literal> and
+      <literal>ExecStartPost=</literal> phases.
+      To accomplish that, runtime and data directory setup was delegated to
+      RuntimeDirectory and tmpfiles.
+    </para>
    </listitem>
   </itemizedlist>
  </section>
diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix
index 7b097e95e14..97e58fd228f 100644
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@@ -326,6 +326,8 @@ in
         '';
 
         serviceConfig = {
+          User = cfg.user;
+          Group = "mysql";
           Type = if hasNotify then "notify" else "simple";
           # /run/mysqld needs to be created in addition to pidDir, as they could point to different locations
           RuntimeDirectory = "mysqld";