diff --git a/services/fediversity/pixelfed.nix b/services/fediversity/pixelfed.nix
index 279445e..37d33ce 100644
--- a/services/fediversity/pixelfed.nix
+++ b/services/fediversity/pixelfed.nix
@@ -13,6 +13,14 @@ in
 }:
 
 lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
+
+  ## Pixelfed as packaged in nixpkgs has a permission issue that prevents Nginx
+  ## from being able to serving the images. We fix it here, but this should be
+  ## upstreamed. See https://github.com/NixOS/nixpkgs/issues/235147
+  services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
+    patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
+  });
+
   services.garage = {
     ensureBuckets = {
       pixelfed = {
@@ -61,6 +69,8 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
     };
   };
 
+  users.users.nginx.extraGroups = [ "pixelfed" ];
+
   services.pixelfed.settings = {
     ## NOTE: This depends on the targets, eg. universities might want control
     ## over who has an account. We probably want a universal