diff --git a/modules/adguard.nix b/modules/adguard.nix
index cd329f7..a4920a9 100644
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@@ -141,7 +141,8 @@ in
     systemd.services.adguardhome = {
       requires = [ "acme-${cfg.domain}.service" ];
       after = [ "acme-${cfg.domain}.service" ];
-      serviceConfig.SupplementaryGroups = [ "acme" ];
+      serviceConfig.SupplementaryGroups = [ "acme" "nginx" ];
+      serviceConfig.ReadOnlyPaths = [ "/var/lib/acme/${cfg.domain}" ];
       serviceConfig.SystemCallFilter = lib.mkForce []; # Allow yq-go to run its syscalls
       preStart = lib.mkAfter ''
         if [ -f /var/lib/private/AdGuardHome/AdGuardHome.yaml ]; then