diff --git a/nixos/network.nix b/nixos/network.nix
index d3e32ae5..c4102990 100644
--- a/nixos/network.nix
+++ b/nixos/network.nix
@@ -273,12 +273,12 @@
         nameValuePair "${hostname}-cert" {
           text = tf.acme.certs.${hostname}.out.refFullchainPem;
           owner = "nginx";
-          group = "nginx";
+          group = "domain-auth";
         }) hostnames) // listToAttrs (map (hostname:
         nameValuePair "${hostname}-key" {
           text = tf.acme.certs.${hostname}.out.refPrivateKeyPem;
           owner = "nginx";
-          group = "nginx";
+          group = "domain-auth";
         }) hostnames);
 
     services.nginx.virtualHosts = let
@@ -291,6 +291,11 @@
           sslCertificateKey = config.secrets.files."${hostname}-key".path;
         }) hostnames);
 
+    users.groups.domain-auth = {
+      gid = 10600;
+      members = [ "nginx" "openldap" "keycloak" ];
+    };
+
     networking.firewall = {
       interfaces = mkMerge (mapAttrsToList (network: settings:
         genAttrs settings.interfaces (_: { allowedTCPPortRanges = settings.tcp; allowedUDPPortRanges = settings.udp; })
@@ -300,7 +305,6 @@
       allowedUDPPorts = [ config.services.tailscale.port ];
     };
 
-
     services.tailscale.enable = true;
 
     systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) {
diff --git a/services/keycloak.nix b/services/keycloak.nix
index 26f3cbfe..f515ab5a 100644
--- a/services/keycloak.nix
+++ b/services/keycloak.nix
@@ -24,7 +24,6 @@ in {
     };
 
 
-  users.groups.domain-auth.members = [ "nginx" "openldap" "keycloak" ];
  /* security.acme.certs.domain-auth = {
     group = "domain-auth";
     postRun = ''
diff --git a/tf b/tf
index e4898b63..04fe3396 160000
--- a/tf
+++ b/tf
@@ -1 +1 @@
-Subproject commit e4898b63141b7be8bd96c0f91fecc807d732aa58
+Subproject commit 04fe3396694d5a10317c37f0376e2397f0323a30