diff --git a/modules/system/services/caddy.nix b/modules/system/services/caddy.nix
index c77c034..f42a4e3 100644
--- a/modules/system/services/caddy.nix
+++ b/modules/system/services/caddy.nix
@@ -101,7 +101,10 @@ in
       }
 
       (lib.mkIf tailscaleHostsExist {
-        sops.secrets."tailscale/service-auth-key".owner = config.services.caddy.user;
+        sops.secrets."tailscale/service-auth-key" = {
+          owner = config.services.caddy.user;
+          restartUnits = [ "caddy.service" ];
+        };
 
         services.caddy = {
           package = caddyWithTailscale;
diff --git a/modules/system/services/crowdsec/default.nix b/modules/system/services/crowdsec/default.nix
index f0238d8..a725908 100644
--- a/modules/system/services/crowdsec/default.nix
+++ b/modules/system/services/crowdsec/default.nix
@@ -36,7 +36,10 @@ in
       cfg.prometheusPort
     ];
 
-    sops.secrets."crowdsec/enrollment-key".owner = user;
+    sops.secrets."crowdsec/enrollment-key" = {
+      owner = user;
+      restartUnits = [ "crowdsec.service" ];
+    };
 
     users.groups.caddy.members = lib.mkIf cfg.sources.caddy [ user ];
 
diff --git a/modules/system/services/forgejo/default.nix b/modules/system/services/forgejo/default.nix
index 18a9c88..90891a8 100644
--- a/modules/system/services/forgejo/default.nix
+++ b/modules/system/services/forgejo/default.nix
@@ -27,7 +27,10 @@ in
       ports.tcp.list = [ cfg.port ];
     };
 
-    sops.secrets."forgejo/admin-password".owner = config.users.users.git.name;
+    sops.secrets."forgejo/admin-password" = {
+      owner = config.users.users.git.name;
+      restartUnits = [ "forgejo.service" ];
+    };
 
     users = {
       users.git = {
diff --git a/modules/system/services/gatus.nix b/modules/system/services/gatus.nix
index a827a8c..284b50e 100644
--- a/modules/system/services/gatus.nix
+++ b/modules/system/services/gatus.nix
@@ -76,9 +76,10 @@ in
 
     sops = {
       secrets."healthchecks/ping-key" = { };
-      templates."gatus.env".content = ''
-        HEALTHCHECKS_PING_KEY=${config.sops.placeholder."healthchecks/ping-key"}
-      '';
+      templates."gatus.env" = {
+        content = "HEALTHCHECKS_PING_KEY=${config.sops.placeholder."healthchecks/ping-key"}";
+        restartUnits = [ "gatus.service" ];
+      };
     };
 
     custom.services.gatus.endpoints =
diff --git a/modules/system/services/grafana.nix b/modules/system/services/grafana.nix
index d2b3737..239842f 100644
--- a/modules/system/services/grafana.nix
+++ b/modules/system/services/grafana.nix
@@ -21,7 +21,10 @@ in
       ports.tcp.list = [ cfg.port ];
     };
 
-    sops.secrets."grafana/admin-password".owner = config.users.users.grafana.name;
+    sops.secrets."grafana/admin-password" = {
+      owner = config.users.users.grafana.name;
+      restartUnits = [ "grafana.service" ];
+    };
 
     services.grafana = {
       enable = true;
diff --git a/modules/system/services/hedgedoc.nix b/modules/system/services/hedgedoc.nix
index 1681bd4..f1ccd34 100644
--- a/modules/system/services/hedgedoc.nix
+++ b/modules/system/services/hedgedoc.nix
@@ -32,6 +32,7 @@ in
       templates."hedgedoc/environment" = {
         owner = config.users.users.hedgedoc.name;
         content = "GITLAB_CLIENTSECRET=${config.sops.placeholder."hedgedoc/gitlab-auth-secret"}";
+        restartUnits = [ "hedgedoc.service" ];
       };
     };
 
diff --git a/modules/system/services/radicale.nix b/modules/system/services/radicale.nix
index 6547c63..287e32f 100644
--- a/modules/system/services/radicale.nix
+++ b/modules/system/services/radicale.nix
@@ -33,6 +33,7 @@ in
       templates."radicale/htpasswd" = {
         owner = config.users.users.radicale.name;
         content = "seb:${config.sops.placeholder."radicale/admin-password"}";
+        restartUnits = [ "radicale.service" ];
       };
     };
 
diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix
index 849b6df..5e7db16 100644
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@@ -59,8 +59,14 @@ in
     };
 
     sops.secrets = lib.mkIf useStaticTls {
-      "syncthing/cert".owner = config.services.syncthing.user;
-      "syncthing/key".owner = config.services.syncthing.user;
+      "syncthing/cert" = {
+        owner = config.services.syncthing.user;
+        restartUnits = [ "syncthing.service" ];
+      };
+      "syncthing/key" = {
+        owner = config.services.syncthing.user;
+        restartUnits = [ "syncthing.service" ];
+      };
     };
 
     services.syncthing = {
diff --git a/modules/system/services/tailscale.nix b/modules/system/services/tailscale.nix
index 72c1cf8..f4d57d0 100644
--- a/modules/system/services/tailscale.nix
+++ b/modules/system/services/tailscale.nix
@@ -18,7 +18,7 @@ in
       config.services.tailscale.port
     ];
 
-    sops.secrets."tailscale/auth-key" = { };
+    sops.secrets."tailscale/auth-key".restartUnits = [ "tailscaled.service" ];
 
     services.tailscale = {
       enable = true;
diff --git a/modules/system/services/wlan.nix b/modules/system/services/wlan.nix
index ba7ec43..ee2efd7 100644
--- a/modules/system/services/wlan.nix
+++ b/modules/system/services/wlan.nix
@@ -31,7 +31,7 @@ in
       cfg.networks
       |> lib.map (name: {
         name = "iwd/${name}";
-        value = { };
+        value.restartUnits = [ "iwd.service" ];
       })
       |> lib.listToAttrs;