diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index 0b72cc1..3ec3bd9 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -53,7 +53,7 @@
         "*.tlater.com"
       ];
       dnsProvider = "porkbun";
-      group = "nginx";
+      group = "ssl-cert";
       credentialFiles = {
         PORKBUN_API_KEY_FILE = config.sops.secrets."porkbun/api-key".path;
         PORKBUN_SECRET_API_KEY_FILE = config.sops.secrets."porkbun/secret-api-key".path;
@@ -61,6 +61,12 @@
     };
   };
 
+  users.groups.ssl-cert = { };
+
+  systemd.services.nginx.serviceConfig.SupplementaryGroups = [
+    config.security.acme.certs."tlater.net".group
+  ];
+
   services.backups.acme = {
     user = "acme";
     paths = lib.mapAttrsToList (
diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix
index 18062ed..c7e4ab4 100644
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@@ -50,6 +50,10 @@ in
   # See also https://gitlab.com/famedly/conduit/-/issues/314
   systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path;
 
+  systemd.services.coturn.serviceConfig.SupplementaryGroups = [
+    config.security.acme.certs."tlater.net".group
+  ];
+
   services.coturn = {
     enable = true;
     no-cli = true;