diff --git a/nixos/modules/services/web-servers/caddy/default.nix b/nixos/modules/services/web-servers/caddy/default.nix
index 7f6bc3c4a4d0..8ff01bcb90c3 100644
--- a/nixos/modules/services/web-servers/caddy/default.nix
+++ b/nixos/modules/services/web-servers/caddy/default.nix
@@ -308,7 +308,6 @@ in
StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ];
LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ];
Restart = "on-abnormal";
- SupplementaryGroups = mkIf (length acmeVHosts != 0) [ "acme" ];
# TODO: attempt to upstream these options
NoNewPrivileges = true;
@@ -331,9 +330,12 @@ in
security.acme.certs =
let
- reloads = map (useACMEHost: nameValuePair useACMEHost { reloadServices = [ "caddy.service" ]; }) acmeHosts;
+ certCfg = map (useACMEHost: nameValuePair useACMEHost {
+ group = mkDefault cfg.group;
+ reloadServices = [ "caddy.service" ];
+ }) acmeHosts;
in
- listToAttrs reloads;
+ listToAttrs certCfg;
};
}
diff --git a/nixos/modules/services/web-servers/caddy/vhost-options.nix b/nixos/modules/services/web-servers/caddy/vhost-options.nix
index ed4902b03723..3945153fa2c4 100644
--- a/nixos/modules/services/web-servers/caddy/vhost-options.nix
+++ b/nixos/modules/services/web-servers/caddy/vhost-options.nix
@@ -40,9 +40,7 @@ in
Note that this option does not create any certificates, nor
does it add subdomains to existing ones – you will need to create them
- manually using . Additionally,
- you should probably add the caddy user to the
- acme group to grant access to the certificates.
+ manually using .
'';
};