We have had the same question with nginx as well. The short answer - don’t do it.
Caddy is supposed to run with a user that only has access to exactly the files it needs to process and nothing else. Exposing (parts of) your home directory is a really bad idea.
The module is locked down this way and you will have to open up a few things to make it work. Instead, move whatever files it needs to a place it always has access to.
To clarify one small point: the issue isn’t running as another user, the issue is running as a regular account instead of a dedicated system account I believe. Don’t try to run system level systemd services without system users.
This works today… but it won’t work the next week after 13 more systemd hardening rules are applied to our module. For better or worse, depending on your perspective, NixOS is a very opinionated distro with respect to systemd configuration.
To be clear I’m not aware of any concrete plans to add more systemd hardening to caddy module and I was using sarcasm to make my point that you’re fighting an uphill battle against NixOS maintainers if you do what you have suggested.
Hi there, it seems I’ve found the reason and a solution. As a heavy user of Caddy myself, I’ve encountered this issue multiple times on several servers before, and previously couldn’t pinpoint the cause or fix it. The workaround I used back then was to modify /lib/systemd/system/caddy.service to specify running as the root user.
Today, I’ve noticed it might be related to the inconsistency between the UID and GID of the caddy user in /etc/passwd. Upon observing the servers where the issue occurred, I found that the IDs of the caddy user and group were different. Adjusting this resolved the problem.
for example:
$ grep caddy /etc/passwd
caddy:x:999:998:Caddy web server:/var/lib/caddy:/usr/sbin/nologin
then I change to:
caddy:x:999:999:Caddy web server:/var/lib/caddy:/usr/sbin/nologin
Of course, make sure the modified UID, GID don’t conflict with existing users and groups.