From 03f6b81b1bf8c69a407d11b5c7c40bf0a783a8f3 Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Tue, 16 Apr 2024 02:32:16 +0200
Subject: [PATCH] caddy: don't take exclusive lock on acme cert

---
 hosts/alpha/acme.nix | 6 +++++-
 hosts/sigma/acme.nix | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/hosts/alpha/acme.nix b/hosts/alpha/acme.nix
index ba4f9e1..ea03a07 100644
--- a/hosts/alpha/acme.nix
+++ b/hosts/alpha/acme.nix
@@ -1,10 +1,14 @@
-{...}: {
+{lib, ...}: {
   security.acme.certs."caspervk.net" = {
     domain = "*.caspervk.net";
     reloadServices = [
       "caddy.service"
       "murmur.service"
     ];
+    # The NixOS Caddy module is a little too clever and sets the cert's group
+    # to 'caddy', which means other services can't load it. This is not needed
+    # since we handle the group membership manually.
+    group = lib.mkForce "acme";
   };
   users.groups.acme.members = [
     "caddy"
diff --git a/hosts/sigma/acme.nix b/hosts/sigma/acme.nix
index bfdba92..9c37186 100644
--- a/hosts/sigma/acme.nix
+++ b/hosts/sigma/acme.nix
@@ -1,9 +1,13 @@
-{...}: {
+{lib, ...}: {
   security.acme.certs."caspervk.net" = {
     domain = "*.caspervk.net";
     reloadServices = [
       "caddy.service"
     ];
+    # The NixOS Caddy module is a little too clever and sets the cert's group
+    # to 'caddy', which means other services can't load it. This is not needed
+    # since we handle the group membership manually.
+    group = lib.mkForce "acme";
   };
   users.groups.acme.members = [
     "caddy"