diff --git a/social/prosody/docker-compose.yml b/social/prosody/docker-compose.yml
index fe31156..ba7b1b5 100644
--- a/social/prosody/docker-compose.yml
+++ b/social/prosody/docker-compose.yml
@@ -11,13 +11,20 @@ services:
             - ./data:/var/lib/prosody
             - ./certs:/etc/prosody/certs
 
-    # One-time init: dumps certs from Traefik's acme.json and makes them readable
-    certs-init:
+    # Watches Traefik's acme.json and extracts certs into the shared volume
+    prosody-certs:
         image: ldez/traefik-certs-dumper:latest
-        container_name: prosody-certs-init
-        restart: "no"
+        container_name: prosody-certs
+        restart: unless-stopped
         entrypoint: /bin/sh
-        command: -c "traefik-certs-dumper file --version v2 --source /traefik/acme.json --dest /output && chmod 644 /output/certs/*.crt /output/private/*.key"
+        command:
+            - "-c"
+            - |
+                printf '#!/bin/sh\nchmod 644 /output/certs/*.crt /output/private/*.key 2>/dev/null\nexit 0\n' > /tmp/on-cert-update.sh &&
+                chmod +x /tmp/on-cert-update.sh &&
+                traefik-certs-dumper file --version v2 --source /traefik/acme.json --dest /output &&
+                chmod 644 /output/certs/*.crt /output/private/*.key &&
+                exec traefik-certs-dumper file --watch --version v2 --source /traefik/acme.json --dest /output --post-hook /tmp/on-cert-update.sh
         volumes:
             - ../../tools/wireguard/letsencrypt:/traefik:ro # Change this to cert path if not using same folder structure
             - ./certs:/output
@@ -36,8 +43,6 @@ services:
         depends_on:
             prosody-init:
                 condition: service_completed_successfully
-            certs-init:
-                condition: service_completed_successfully
 
 networks:
     traefik_portal: