diff --git a/hosts/shared/caddy.nix b/hosts/shared/caddy.nix
index 13d1325..d790ba6 100644
--- a/hosts/shared/caddy.nix
+++ b/hosts/shared/caddy.nix
@@ -1,10 +1,10 @@
 { config, inputs, pkgs, ... }: {
   sops = {
     secrets = {
-      "digitalocean/token_file" = {
-        mode = "444";
-        owner = config.users.users.root.name;
-        group = config.users.users.root.group;
+      "caddy/env_file" = {
+        mode = "400";
+        owner = config.users.users.caddy.name;
+        inherit (config.users.users.caddy) group;
       };
     };
   };
@@ -17,7 +17,7 @@
     '';
     logFormat = "level INFO";
   };
-  systemd.services.caddy.serviceConfig.EnvironmentFile = config.sops.secrets."digitalocean/token_file".path;
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.sops.secrets."caddy/env_file".path;
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
 
diff --git a/secrets.yaml b/secrets.yaml
index 8bd8569..a17e9e7 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -24,8 +24,8 @@ frp:
     token_file: ENC[AES256_GCM,data:y8QgggTJaQ2STMGNGT0RagUhBgA6H20plzEwd9jNhdXl1098URUV0288YoTnQcc=,iv:/BYWC2WYvXrlvNc97RJTfhf1IratSRU0vHcaxLXJ+V4=,tag:PlStSrzm09fW442uBHAiUg==,type:str]
 matrix:
     syncv3_secret: ENC[AES256_GCM,data:05lLSSolNO55VjJQL3nLNGo2jiZUZht2FKNvc2O2dCccSfglrwm6J5Guzns9ZlT8X9j74lvlWlbM6Q==,iv:1zARbgZ9GJV1UMJ+WjFPNYPqhRjGVj4iLYMpfsRjrko=,tag:fQ9Vg1xD1k2eYlEbtF6q8A==,type:str]
-digitalocean:
-    token_file: ENC[AES256_GCM,data:Sd3TFDI12Md8rFS8iwIQTtgMUUoZ1cIa4zAge/UbusOy9N6URLTFQUEOMO6t28QjyLdP1A3mCqitL7WEkdgZOj9dJUZPpa1odJZssCa3YGjn74vM,iv:vRS0QCTU88/jOhZncCX9VhYPNnexV2kw2xT1/Q0qwPc=,tag:009UNaNBNjXYPlPPJK8fYw==,type:str]
+caddy:
+    env_file: ENC[AES256_GCM,data:FPMNS356/fZ9DFgu0/lH5S2+zKBkeo5VAYFK9fFgxNRm2IRWQg79yfW8xTJuAZw5AZrEiNvpfU0eDO+q1fLEdJccINHatKjTD/gMUCb3oAA7u6b2,iv:sBmSTTtvRtOtoBSEMzzhtnSFoX9Va85g6K2bVxB4Kak=,tag:pv7/pwG3M2qrnrMMJ9eePw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -95,8 +95,8 @@ sops:
             YzdpTitkMHh6VUFtV2FodVF6OWJkTU0KBjC+esgHZ8hTWXwZ+cy4++jLP+gsruHM
             fmRDhvQu0MNHkjQ8q4VmwRVl10uc8CyTDFTuyDoAhvmnzXHtrg1wpA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-14T09:29:44Z"
-    mac: ENC[AES256_GCM,data:o5SSxjXA6JJ2Q2TJu8bhUYcmywyiqb6/f4nzfynoHoW/x3fuc9gJbpTqJz8Zxc+vTNZE8EUW+j2zsHLNf0t7QjaJeUJdqXnAr6tTdIAbAXmDrIEvu39Oq2ukmRgwbzGODUc5ziTswGu/5REMT7k1kmlt2dJ1MXoVaSW+xbpl3lI=,iv:B5l69QsOApyuXfNpHY+ibkeo9RO5t2fcoykVAc6wFvk=,tag:HbByozsuOMYzzmu3mIVfFQ==,type:str]
+    lastmodified: "2024-09-14T14:04:05Z"
+    mac: ENC[AES256_GCM,data:Vw54t+H/aHL/eZNQfqU286frv4Tssi6SBJULel3FThOrvmdRDAW5I/yCrnveW08cxcE6BKaHjIhi5OkZYPeEMJdJLsZwcaXLzX1IKKk2wKlB+SlzwHAoMYmawaeIlrHBRbskvTClN9K6G69EH7p5ZBBrC+OQHHKCLOMvEalC9Js=,iv:MXxG8gVchbNxUmIXlDRIcUsrZex9Wj8Z7W24BErHwmw=,tag:Lo65RimG0l/B8a1AEQnaKA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0