diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix
index 2d933f5..a1b3c17 100644
--- a/modules/services/immich/default.nix
+++ b/modules/services/immich/default.nix
@@ -41,6 +41,7 @@ in
   imports = [ "${nixpkgs-unstable}/nixos/modules/services/web-apps/immich.nix" ];
 
   config = lib.mkIf cfg.enable {
+
     services.immich = {
       package = immich-package;
       enable = true;
@@ -64,6 +65,8 @@ in
         CapabilityBoundingSet = lib.mkForce "~";
         ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
         PrivateUsers = lib.mkForce false; # bindfs fails otherwise
+
+        SupplementaryGroups = lib.mkForce [ "immich" ]; # TODO remove on 24.11
       };
     };