Make sure dkim has access to key path

lib/fudo/mail/dkim.nix

@@ -99,17 +99,19 @@ in {
       };
     };
 
-    systemd.services.opendkim = {
+    systemd = {
-      preStart = lib.mkForce createAllCerts;
+      tmpfiles.rules = [
-      serviceConfig = {
+        "d '${cfg.dkim.key-directory}' - ${config.services.opendkim.user} ${config.services.opendkim.group} - -"
-        ExecStart = lib.mkForce
+      ];
-          "${cfg.dkim.package}/bin/opendkim ${escapeShellArgs args}";
+      services.opendkim = {
-        PermissionsStartOnly = lib.mkForce false;
+        preStart = lib.mkForce createAllCerts;
+        serviceConfig = {
+          ExecStart = lib.mkForce
+            "${cfg.dkim.package}/bin/opendkim ${escapeShellArgs args}";
+          PermissionsStartOnly = lib.mkForce false;
+          ReadWritePaths = [ cfg.dkim.key-directory ];
+        };
       };
     };
-
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dkim.key-directory}' - ${config.services.opendkim.user} ${config.services.opendkim.group} - -"
-    ];
   };
 }