diff --git a/acme.nix b/acme.nix
index 484b7dd..9eef03e 100644
--- a/acme.nix
+++ b/acme.nix
@@ -3,4 +3,7 @@
 {
   security.acme.acceptTerms = true;
   security.acme.email = "kontakt@hamburg.freifunk.net";
+  users.groups.certs = {
+    members = [ "dovecot2" "nginx" "postfix" ];
+  };
 }
diff --git a/dovecot.nix b/dovecot.nix
index e004db7..417f1a1 100644
--- a/dovecot.nix
+++ b/dovecot.nix
@@ -119,7 +119,7 @@ in
   security = lib.mkIf config.variables.useSSL {
     acme.certs."dovecot2.${config.variables.myFQDN}" = {
       domain = "${config.variables.myFQDN}";
-      group = config.services.dovecot2.group;
+      group = "certs";
       postRun = "systemctl restart dovecot2.service";
       # cheat by getting the webroot from another certificate configured through nginx.
       webroot = config.security.acme.certs."${config.variables.myFQDN}".webroot;
diff --git a/postfix.nix b/postfix.nix
index 3c274bb..c9fe644 100644
--- a/postfix.nix
+++ b/postfix.nix
@@ -37,7 +37,7 @@ in
     # Configure the certificates...
     acme.certs."postfix.${config.variables.myFQDN}" = {
       domain = "${config.variables.myFQDN}";
-      group = config.services.postfix.group;
+      group = "certs";
       postRun = "systemctl restart postfix.service";
       # cheat by getting some settings from another certificate configured through nginx.
       webroot = config.security.acme.certs."${config.variables.myFQDN}".webroot;