diff --git a/image-recipe/configs/archipelago.service b/image-recipe/configs/archipelago.service
index 4e69581b..eb3fd154 100644
--- a/image-recipe/configs/archipelago.service
+++ b/image-recipe/configs/archipelago.service
@@ -30,7 +30,7 @@ ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/con
 # Privilege restriction — restored with rootless podman (no sudo needed)
 NoNewPrivileges=yes
 PrivateDevices=no
-SupplementaryGroups=dialout
+SupplementaryGroups=dialout debian-tor
 
 # Network restriction (allow only IPv4/IPv6 + Unix sockets)
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6