diff --git a/hosts/pek0/default.nix b/hosts/pek0/default.nix
index 3b276b5..6e0eac4 100644
--- a/hosts/pek0/default.nix
+++ b/hosts/pek0/default.nix
@@ -84,12 +84,10 @@
     trusted_proxies_strict = 1;
   };
 
-  systemd.services.caddy.serviceConfig = {
-    SupplementaryGroups = [
-      "mastodon"
-      "matrix-synapse"
-    ];
-  };
+  systemd.services."caddy".serviceConfig.SupplementaryGroups = [
+    "mastodon"
+    "matrix-synapse"
+  ];
 
   services.postgresql = {
     enable = true;
diff --git a/hosts/pek0/services/matrix.nix b/hosts/pek0/services/matrix.nix
index 7c434cf..359c14f 100644
--- a/hosts/pek0/services/matrix.nix
+++ b/hosts/pek0/services/matrix.nix
@@ -23,12 +23,6 @@
         }
       ];
 
-      experimental_features = {
-        # MSC3575 (Sliding Sync API endpoints)
-        # TODO: drop matrix-sliding-sync proxy
-        msc3575_enabled = true;
-      };
-
       # https://element-hq.github.io/synapse/latest/openid.html#keycloak
       oidc_providers = lib.singleton {
         idp_id = "keycloak";
diff --git a/hosts/tyo0/default.nix b/hosts/tyo0/default.nix
index 5c6d5f6..369b438 100644
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@@ -64,6 +64,10 @@
     listen = [ ":443" ];
   };
 
+  systemd.services."caddy".serviceConfig.SupplementaryGroups = [
+    "forgejo"
+  ];
+
   services.caddy.settings.apps.http.servers.srv0.routes = [
     {
       match = lib.singleton {
diff --git a/hosts/tyo0/services/forgejo.nix b/hosts/tyo0/services/forgejo.nix
index 4956069..5f409a5 100644
--- a/hosts/tyo0/services/forgejo.nix
+++ b/hosts/tyo0/services/forgejo.nix
@@ -14,6 +14,7 @@
         PROTOCOL = "http+unix";
         ROOT_URL = "https://git.ny4.dev/";
         SSH_DOMAIN = "tyo0.ny4.dev";
+        UNIX_SOCKET_PERMISSION = "660";
       };
 
       service = {