diff --git a/common/server/unifi.nix b/common/server/unifi.nix
index 92f20c4..fe6c132 100644
--- a/common/server/unifi.nix
+++ b/common/server/unifi.nix
@@ -13,6 +13,15 @@ in
     services.unifi.unifiPackage = pkgs.unifi;
     services.unifi.mongodbPackage = pkgs.mongodb-7_0;
 
+    # The upstream module sets KillSignal=SIGCONT so systemd doesn't interfere
+    # with UniFi's self-managed shutdown. But UniFi's Java process crashes during
+    # shutdown (Spring context already closed) leaving mongod orphaned in the
+    # cgroup. With the default KillMode=control-group, mongod only gets SIGCONT
+    # (a no-op) and runs until the 5min timeout triggers SIGKILL.
+    # KillMode=mixed sends SIGCONT to the main process but SIGTERM to remaining
+    # children, giving mongod a clean shutdown instead of SIGKILL.
+    systemd.services.unifi.serviceConfig.KillMode = "mixed";
+
     networking.firewall = lib.mkIf cfg.openMinimalFirewall {
       allowedUDPPorts = [
         3478 # STUN