diff --git a/configuration.nix b/configuration.nix
index f1e5699..717ae0d 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -39,6 +39,7 @@
     wget vimHugeX curl git htop tmux manpages
     zip unzip
     tinc_pre
+    python37
   ];
 
   # SSH config. Change passwordAuthentication if you want to log in with a password.
diff --git a/inquisitor.nix b/inquisitor.nix
index bcbc0c7..079e32f 100644
--- a/inquisitor.nix
+++ b/inquisitor.nix
@@ -2,21 +2,45 @@
 
 let
   # Import the inquisitor package
-  inquisitorSource = fetchFromGitHub {
+  inquisitorSource = pkgs.fetchFromGitHub {
     owner = "Jaculabilis";
     repo = "Inquisitor";
     rev = "9001bd8f920cc120f38e998d63a8134969a00032";
     sha256 = "0nx1dszvmn6a86jhj3c9607jqy0bmijjjz3jb3v5lsnpwwkjs5w6";
   };
-  inquisitor = callPackage inquisitorSource {};
+  inquisitor = pkgs.callPackage inquisitorSource {};
 
   # Create the inquisitor config file in the nix store
-  inquisitorConfig = pkgs.writeTextFile "inquisitor.conf" ''
-    DataPath = /var/lib/inquisitor/data/
-    SourcePath = /var/lib/inquisitor/sources/
-    CachePath = /var/lib/inquisitor/cache/
-    Verbose = false
-    LogFile = /var/log/inquisitor.log
+  inquisitorConfig = pkgs.writeTextFile {
+    name = "inquisitor.conf";
+    text = ''
+      DataPath = /var/lib/inquisitor/data/
+      SourcePath = /var/lib/inquisitor/sources/
+      CachePath = /var/lib/inquisitor/cache/
+      Verbose = false
+      LogFile = /var/log/inquisitor.log
+    '';
+  };
+
+  # Create the inquisitor run script
+  # TODO gunicorn
+  inquisitorRun = pkgs.writeShellScriptBin "run.sh" ''
+    # Ensure inquisitor directories and inquisitor source folder
+    ${pkgs.coreutils}/bin/mkdir -p /var/lib/inquisitor/data/inquisitor/ || exit
+    ${pkgs.coreutils}/bin/mkdir -p /var/lib/inquisitor/sources/
+    ${pkgs.coreutils}/bin/mkdir -p /var/lib/inquisitor/cache/
+    if [ ! -f /var/lib/inquisitor/data/inquisitor/state ]; then
+      ${pkgs.coreutils}/bin/echo "{}" > /var/lib/inquisitor/data/inquisitor/state
+    fi
+
+    # Run inquisitor
+    cd /var/lib/inquisitor/
+    INQUISITOR_CONFIG=${inquisitorConfig} ${inquisitor}/bin/inquisitor run
+  '';
+
+  # Create a wrapper script to let users call into inquisitor safely
+  inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
+    INQUISITOR_CONFIG=${inquisitorConfig} ${inquisitor}/bin/inquisitor "$@"
   '';
 in
 {
@@ -27,35 +51,23 @@ in
     packages = [ inquisitor ];
   };
 
-  # TODO replace with wrapper that sets envvar
-  environment.systemPackages = [ inquisitor ];
+  # Give all users the inq wrapper
+  environment.systemPackages = [ inquisitorWrapper ];
 
   # Set up the inquisitor service
   systemd.services.inquisitor =
   let
-    # Inquisitor needs some state set up to work properly
     inquisitorSetup = pkgs.writeShellScriptBin "setup.sh" ''
-      mkdir -p /var/lib/inquisitor/data/inquisitor/
-      mkdir -p /var/lib/inquisitor/sources/
-      mkdir -p /var/lib/inquisitor/cache/
-      echo "{}" > /var/lib/inquisitor/data/inquisitor/state
-    '';
-    # Set up server invocation
-    #inquisitorRun = pkgs.writeShellScriptBin "run.sh" ''
-    #  ${pkgs.gunicorn}/bin/gunicorn
-    #''; TODO
-    inquisitorRun = pkgs.writeShellScriptBin "run.sh" ''
-      ${inquisitor}/bin/inquisitor run
+      ${pkgs.coreutils}/bin/mkdir -p /var/lib/inquisitor &&
+      ${pkgs.coreutils}/bin/chown inquisitor /var/lib/inquisitor
     '';
   in {
     description = "Inquisitor server";
-    environment = { INQUISITOR_CONFIG = $"{inquisitorConfig}"; }; # TODO gunicorn -e
-    preStart = "${inquisitorSetup}/bin/setup.sh";
-    script = $"${inquisitorRun}/bin/run.sh";
+    script = "${inquisitorRun}/bin/run.sh";
     serviceConfig = {
       User = "inquisitor";
       Type = "simple";
-      WorkingDirectory = "/var/lib/inquisitor/";
+      ExecStartPre = "+${inquisitorSetup}/bin/setup.sh";
     };
     wantedBy = [ "multi-user.target" ];
     after = [ "network.target" ];