@ross @paperdigits So, the bug here is that nixocaine augments the Caddy service, to add it to the iocaine group, in case one's using unix domain sockets between it and caddy.

This is normally fine.

BUT! The iocaine.service uses DynamicUser=true: the user - and the group - does not exist until the service is started. Hence, Caddy failing to start if iocaine is not running yet.

The correct fix here (I think, but I'll test it first) is to only add this if iocaine has a unix domain socket listener, and when doing so, also add the necessary Requires and After attributes aswell.

Until I fix nixocaine, the workaround, if you don't want to manually start these two, is to force systemd.services.caddy.serviceConfig.SupplementaryGroups = lib.mkForce []; empty (assuming you're not using unix domain sockets), or add systemd.services.caddy.requires = [ "iocaine.service" ]; and systemd.services.caddy.after = [ "iocaine.service" ];.