Allow AdGuard Home to read ACME certificates via ReadOnlyPaths

2026-03-18 22:12:28 +01:00 · 2026-03-18 22:12:28 +01:00 · c51c7183c1
commit c51c7183c1
parent deedd00762
1 changed files with 2 additions and 1 deletions
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@ -141,7 +141,8 @@ in
    systemd.services.adguardhome = {
      requires = [ "acme-${cfg.domain}.service" ];
      after = [ "acme-${cfg.domain}.service" ];
-      serviceConfig.SupplementaryGroups = [ "acme" ];
+      serviceConfig.SupplementaryGroups = [ "acme" "nginx" ];
+      serviceConfig.ReadOnlyPaths = [ "/var/lib/acme/${cfg.domain}" ];
      serviceConfig.SystemCallFilter = lib.mkForce []; # Allow yq-go to run its syscalls
      preStart = lib.mkAfter ''
        if [ -f /var/lib/private/AdGuardHome/AdGuardHome.yaml ]; then