From d623a01ebd50d227f1297acb129f852993cd111d Mon Sep 17 00:00:00 2001
From: steffen <steffen@portuus.de>
Date: Sat, 14 Mar 2026 13:45:08 +0100
Subject: [PATCH] fix ACME: set default group to nginx for webroot permissions

The ACME challenge directory was created with group 'acme' but nginx
needs read access to serve challenge responses. Setting defaults.group
to 'nginx' ensures all ACME directories are accessible by nginx.
---
 modules/nixos/nginx/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nixos/nginx/default.nix b/modules/nixos/nginx/default.nix
index d28d7a9..3b2bef1 100644
--- a/modules/nixos/nginx/default.nix
+++ b/modules/nixos/nginx/default.nix
@@ -62,6 +62,7 @@ in
       acceptTerms = true;
       defaults.email = mkDefault "postmaster@${config.networking.domain}";
       defaults.webroot = mkDefault "/var/lib/acme/acme-challenge";
+      defaults.group = mkDefault "nginx";
     };
 
     security.dhparams = mkIf cfg.forceSSL {