diff --git a/services/haproxy-acme.nix b/services/haproxy-acme.nix
index ad59904..96d28cd 100644
--- a/services/haproxy-acme.nix
+++ b/services/haproxy-acme.nix
@@ -133,8 +133,8 @@ in
         ) cfg.services;
         webroot = "/var/www/challenges";
         email = "paul@nyanlout.re";
-        user = "haproxy";
-        group = "haproxy";
+        allowKeysForGroup = true;
+        group = "acme";
         postRun = ''
           systemctl reload haproxy.service
         '';
@@ -142,6 +142,8 @@ in
     };
     security.acme.directory = "/var/lib/acme";
 
+    users.groups.acme.members = [ "haproxy" ];
+
     networking.firewall.allowedTCPPorts = [
       80 443
     ];
diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix
index abe891e..0a9ad17 100644
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@@ -254,6 +254,8 @@ in
       database_args = {
         database = "matrix-synapse";
       };
+      tls_private_key_path = "/var/lib/acme/${domaine}/key.pem";
+      tls_certificate_path = "/var/lib/acme/${domaine}/fullchain.pem";
       extraConfig = ''
         max_upload_size: "100M"
       '';
@@ -411,6 +413,8 @@ in
     };
   };
 
+  users.groups.acme.members = [ "matrix-synapse" ];
+
   security.sudo.extraRules = [
     { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
   ];