From c51c7183c131e40a3b5f234a84294755e637ff29 Mon Sep 17 00:00:00 2001 From: ashisgreat22 Date: Wed, 18 Mar 2026 22:12:28 +0100 Subject: [PATCH] Allow AdGuard Home to read ACME certificates via ReadOnlyPaths --- modules/adguard.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/adguard.nix b/modules/adguard.nix index cd329f7..a4920a9 100644 --- a/modules/adguard.nix +++ b/modules/adguard.nix @@ -141,7 +141,8 @@ in systemd.services.adguardhome = { requires = [ "acme-${cfg.domain}.service" ]; after = [ "acme-${cfg.domain}.service" ]; - serviceConfig.SupplementaryGroups = [ "acme" ]; + serviceConfig.SupplementaryGroups = [ "acme" "nginx" ]; + serviceConfig.ReadOnlyPaths = [ "/var/lib/acme/${cfg.domain}" ]; serviceConfig.SystemCallFilter = lib.mkForce []; # Allow yq-go to run its syscalls preStart = lib.mkAfter '' if [ -f /var/lib/private/AdGuardHome/AdGuardHome.yaml ]; then