diff --git a/lib/tiny-cloud/user-data/alpine-config b/lib/tiny-cloud/user-data/alpine-config
index f4c0736..1164140 100644
--- a/lib/tiny-cloud/user-data/alpine-config
+++ b/lib/tiny-cloud/user-data/alpine-config
@@ -270,7 +270,7 @@ in_list() {
 init__userdata_users() {
 	local users="$(get_userdata users)"
 	for i in $users; do
-		local name gecos homedir shell lock_passwd=true
+		local name gecos homedir shell system=false lock_passwd=true
 		local keys="$(get_userdata users/$i)"
 		if [ "$i" = 1 ] && [ "$keys" = "default" ]; then
 			continue
@@ -289,10 +289,17 @@ init__userdata_users() {
 		if in_list shell $keys; then
 			shell="$(get_userdata users/$i/shell)"
 		fi
+		if in_list system $keys; then
+			system="$(get_userdata users/$i/system)"
+		fi
+
 		if getent passwd "$user" >/dev/null; then
 			log -i -t "$phase" info "$ACTION: user $user already exists"
 		else
-			$MOCK adduser -D ${gecos:+-g "$gecos"} ${homedir:+-h "$homedir"} ${shell:+-s "$shell"} "$name"
+			if [ "$system" != "true" ]; then
+				unset system
+			fi
+			$MOCK adduser -D ${gecos:+-g "$gecos"} ${homedir:+-h "$homedir"} ${shell:+-s "$shell"} ${system:+-S} "$name"
 		fi
 
 		if in_list lock_passwd $keys; then
diff --git a/tests/tiny-cloud-alpine.test b/tests/tiny-cloud-alpine.test
index 26b3ee7..0a1fc5e 100755
--- a/tests/tiny-cloud-alpine.test
+++ b/tests/tiny-cloud-alpine.test
@@ -22,6 +22,7 @@ init_tests \
 	userdata_users_gecos \
 	userdata_users_homedir \
 	userdata_users_shell \
+	userdata_users_system \
 	userdata_users_lock_passwd \
 	userdata_users_ssh_authorized_keys \
 	userdata_ssh_authorized_keys \
@@ -247,6 +248,22 @@ userdata_users_shell_body() {
 		tiny-cloud main
 }
 
+userdata_users_system_body() {
+	# first specified user will replace default user
+	fake_userdata_nocloud <<-EOF
+		#alpine-config
+		users:
+		  - default
+		  - name: foo
+		    system: true
+	EOF
+	atf_check -e ignore -o ignore tiny-cloud early
+	atf_check \
+		-e match:"userdata_users: done" \
+		-o match:"adduser.*-S.*foo" \
+		tiny-cloud main
+}
+
 userdata_users_lock_passwd_body() {
 	# first specified user will replace default user
 	fake_userdata_nocloud <<-EOF