diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix
index 6981bd3..1024f78 100644
--- a/hosts/fw.cloonar.com/modules/unbound.nix
+++ b/hosts/fw.cloonar.com/modules/unbound.nix
@@ -133,17 +133,17 @@ in {
   services.unbound = {
     enable = true;
     settings = cfg // {
-      server = {
-        tls-cert-bundle = "/var/lib/acme/fw.cloonnar.com/fullchain.pem";
-      };
+      server.tls-cert-bundle = "/var/lib/acme/fw.cloonnar.com/fullchain.pem";
     }; 
   };
   security.acme.certs."fw.cloonar.com" = {
     domain = "fw.cloonar.com";
+    group = "unbound";
   };
 
   security.acme.certs."${domain}" = {
     domain = "${domain}";
+    group = "996";
   };
 
   containers.unbound = {