diff --git a/Makefile b/Makefile
index bd529b6..43e76bd 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,7 @@ install:
 	@chmod 755 ${NAGIOS_EXEC}/check_onion
 	@echo installing ircbot.sh to ${PREFIX}/bin
 	@cp -f ircbot.sh ${PREFIX}/bin
+	test -f /etc/ircbot.conf || install -m 640 ircbot.conf.default /etc/ircbot.conf
 	@chmod 755 ${PREFIX}/bin/ircbot.sh
 
 uninstall:
diff --git a/README.md b/README.md
index dc13c87..daea892 100644
--- a/README.md
+++ b/README.md
@@ -59,3 +59,7 @@ systemd or rc. Start it with `systemctl start ircbot` or `rcctl start ircbot`.
 
 The nagios IRC bot (ircbot.sh) does not automatically rejoin the
 IRC server and channel after it loses the connection.
+
+The Makefile does not install the /etc/ircbot.conf configuration
+file with the correct ownership and permissions. It should be
+readable by nagios user on Linux and _nagios user on OpenBSD.
diff --git a/ircbot.conf.default b/ircbot.conf.default
new file mode 100644
index 0000000..42d5516
--- /dev/null
+++ b/ircbot.conf.default
@@ -0,0 +1,10 @@
+nick='nagios'
+chan='#ops'
+server='irc.example.org'
+email='nagios@example.org'
+password='mysecretpass'
+port='6667'
+inputf=/tmp/ircinput
+msgf=/tmp/ircmsg
+logf=/tmp/notify_irc.log
+joinmsg="nagios bot reporting"
diff --git a/ircbot.sh b/ircbot.sh
index 2f656d8..e79a05d 100755
--- a/ircbot.sh
+++ b/ircbot.sh
@@ -2,19 +2,14 @@
 
 # TODO: make sure only nagios can write to $inputf and $msgf, else do not run
 
-# configuration area
-# TODO: separate configuration into a file owned by nagios user.
-# this improves security and allows reinstall (from git) to not clobber config.
-nick='nagios'
-chan='#ops'
-server='irc.anarchyplanet.org'
-email='nagios@anarchyplanet.org'
-password='mysecretpass'
-port='6667'
-inputf=/tmp/ircinput
-msgf=/tmp/ircmsg
-logf=/tmp/notify_irc.log
-joinmsg="nagios bot reporting"
+conf=/etc/ircbot.conf
+
+if ! test -r $conf; then
+    echo "cannot read configuration file, exiting"
+    exit 1
+else
+    . $conf
+fi
 
 touch $msgf