diff --git a/hosts/alpha/acme.nix b/hosts/alpha/acme.nix
index ba4f9e1..ea03a07 100644
--- a/hosts/alpha/acme.nix
+++ b/hosts/alpha/acme.nix
@@ -1,10 +1,14 @@
-{...}: {
+{lib, ...}: {
   security.acme.certs."caspervk.net" = {
     domain = "*.caspervk.net";
     reloadServices = [
       "caddy.service"
       "murmur.service"
     ];
+    # The NixOS Caddy module is a little too clever and sets the cert's group
+    # to 'caddy', which means other services can't load it. This is not needed
+    # since we handle the group membership manually.
+    group = lib.mkForce "acme";
   };
   users.groups.acme.members = [
     "caddy"
diff --git a/hosts/sigma/acme.nix b/hosts/sigma/acme.nix
index bfdba92..9c37186 100644
--- a/hosts/sigma/acme.nix
+++ b/hosts/sigma/acme.nix
@@ -1,9 +1,13 @@
-{...}: {
+{lib, ...}: {
   security.acme.certs."caspervk.net" = {
     domain = "*.caspervk.net";
     reloadServices = [
       "caddy.service"
     ];
+    # The NixOS Caddy module is a little too clever and sets the cert's group
+    # to 'caddy', which means other services can't load it. This is not needed
+    # since we handle the group membership manually.
+    group = lib.mkForce "acme";
   };
   users.groups.acme.members = [
     "caddy"