diff --git a/nixos/modules/services/misc/redlib.nix b/nixos/modules/services/misc/redlib.nix
index 177214b9ec05..3e3cd31a814c 100644
--- a/nixos/modules/services/misc/redlib.nix
+++ b/nixos/modules/services/misc/redlib.nix
@@ -93,17 +93,26 @@ in
     systemd.services.redlib = {
       wantedBy = [ "default.target" ];
       environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings;
-      serviceConfig = {
-        ExecStart = [
-          ""
-          "${lib.getExe cfg.package} ${args}"
-        ];
-        AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
-        CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
-        # A private user cannot have process capabilities on the host's user
-        # namespace and thus CAP_NET_BIND_SERVICE has no effect.
-        PrivateUsers = (cfg.port >= 1024);
-      };
+      serviceConfig =
+        {
+          ExecStart = [
+            ""
+            "${lib.getExe cfg.package} ${args}"
+          ];
+        }
+        // (
+          if (cfg.port < 1024) then
+            {
+              AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+              CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+            }
+          else
+            {
+              # A private user cannot have process capabilities on the host's user
+              # namespace and thus CAP_NET_BIND_SERVICE has no effect.
+              PrivateUsers = true;
+            }
+        );
     };
 
     networking.firewall = mkIf cfg.openFirewall {