diff --git a/hosts/aws/tyo0/default.nix b/hosts/aws/tyo0/default.nix
index a001277..214b4f6 100644
--- a/hosts/aws/tyo0/default.nix
+++ b/hosts/aws/tyo0/default.nix
@@ -63,7 +63,10 @@
     listen = [ ":443" ];
   };
 
-  systemd.services."caddy".serviceConfig.SupplementaryGroups = [ "forgejo" ];
+  systemd.services."caddy".serviceConfig.SupplementaryGroups = [
+    "forgejo"
+    "ntfy-sh"
+  ];
 
   services.caddy.settings.apps.http.servers.srv0.routes = [
     {
diff --git a/hosts/aws/tyo0/services/ntfy.nix b/hosts/aws/tyo0/services/ntfy.nix
index eebe031..eaef8c8 100644
--- a/hosts/aws/tyo0/services/ntfy.nix
+++ b/hosts/aws/tyo0/services/ntfy.nix
@@ -6,7 +6,7 @@
       base-url = "https://ntfy.ny4.dev";
       listen-http = "";
       listen-unix = "/run/ntfy-sh/ntfy.sock";
-      listen-unix-mode = 511; # 0777
+      listen-unix-mode = 432; # 0660
       behind-proxy = true;
     };
   };