diff --git a/nixos/modules/services/web-servers/caddy/default.nix b/nixos/modules/services/web-servers/caddy/default.nix index 7f6bc3c4a4d0..8ff01bcb90c3 100644 --- a/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixos/modules/services/web-servers/caddy/default.nix @@ -308,7 +308,6 @@ in StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ]; LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ]; Restart = "on-abnormal"; - SupplementaryGroups = mkIf (length acmeVHosts != 0) [ "acme" ]; # TODO: attempt to upstream these options NoNewPrivileges = true; @@ -331,9 +330,12 @@ in security.acme.certs = let - reloads = map (useACMEHost: nameValuePair useACMEHost { reloadServices = [ "caddy.service" ]; }) acmeHosts; + certCfg = map (useACMEHost: nameValuePair useACMEHost { + group = mkDefault cfg.group; + reloadServices = [ "caddy.service" ]; + }) acmeHosts; in - listToAttrs reloads; + listToAttrs certCfg; }; } diff --git a/nixos/modules/services/web-servers/caddy/vhost-options.nix b/nixos/modules/services/web-servers/caddy/vhost-options.nix index ed4902b03723..3945153fa2c4 100644 --- a/nixos/modules/services/web-servers/caddy/vhost-options.nix +++ b/nixos/modules/services/web-servers/caddy/vhost-options.nix @@ -40,9 +40,7 @@ in Note that this option does not create any certificates, nor does it add subdomains to existing ones – you will need to create them - manually using . Additionally, - you should probably add the caddy user to the - acme group to grant access to the certificates. + manually using . ''; };