diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix
index 188679c..a487c9b 100644
--- a/hosts/fw.cloonar.com/modules/gitea.nix
+++ b/hosts/fw.cloonar.com/modules/gitea.nix
@@ -17,7 +17,6 @@ in
   };
 
   security.acme.certs."${domain}" = {
-    domain = "${domain}";
     group = "nginx";
   };
 
diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix
index 9c4ceae..65c023e 100644
--- a/hosts/fw.cloonar.com/modules/unbound.nix
+++ b/hosts/fw.cloonar.com/modules/unbound.nix
@@ -130,9 +130,18 @@ let
     ];
   };
 in {
+  users.users.unbound = {
+    group = "unbound";
+    isSystemUser = true;
+    uid = config.ids.uids.unbound;
+  };
+  users.groups.unbound = {
+    gid = config.ids.gids.unbound;
+  }
+
   security.acme.certs."${domain}" = {
     domain = "${domain}";
-    group = "996";
+    group = "unbound";
   };
 
   containers.unbound = {
@@ -164,6 +173,14 @@ in {
           allowedTCPPorts = [ 853 ];
         };
       };
+      users.users.unbound = {
+        group = "unbound";
+        isSystemUser = true;
+        uid = config.ids.uids.unbound;
+      };
+      users.groups.unbound = {
+        gid = config.ids.gids.unbound;
+      }
       services.unbound = {
         enable = true;
         settings = cfg;