services/traefik: set service's working directory

services/traefik.nix

@@ -19,6 +19,7 @@ let
   letsEncryptStaging = "https://acme-staging-v02.api.letsencrypt.org/directory";
   letsEncryptProd = "https://acme-v02.api.letsencrypt.org/directory";
   logDir = "/var/log/traefik";
+  workingDir = "~";
 in
 {
   options.traefik = {
@@ -37,11 +38,15 @@ in
     services.tailscale.permitCertUid = "traefik";
 
     # Create log dir for access logs, then allow traefik to access them
+    # We need to set the working directory to /var/lib, for the plugins-storage directory
     systemd = {
       tmpfiles.rules = [
         "d ${logDir} 0750 traefik traefik -"
       ];
-      services.traefik.serviceConfig.ReadWritePaths = [ logDir ];
+      services.traefik.serviceConfig = {
+        ReadWritePaths = [ logDir ];
+        WorkingDirectory = workingDir;
+      };
     };
 
     # We want the alloy collector to be able to read traefik logs