diff --git a/modules/system/services/caddy.nix b/modules/system/services/caddy.nix
index 9446e7b..6b6dd32 100644
--- a/modules/system/services/caddy.nix
+++ b/modules/system/services/caddy.nix
@@ -54,6 +54,7 @@ in
           virtualHosts = lib.mapAttrs' (
             _: value:
             lib.nameValuePair value.domain {
+              logFormat = "output file ${config.services.caddy.logDir}/access-${value.domain}.log { mode 640 }";
               extraConfig = lib.concatStrings [
                 (lib.optionalString (isTailscaleDomain value.domain) ''
                   bind tailscale/${getSubdomain value.domain}
diff --git a/modules/system/services/crowdsec/default.nix b/modules/system/services/crowdsec/default.nix
index 76ef72f..8817917 100644
--- a/modules/system/services/crowdsec/default.nix
+++ b/modules/system/services/crowdsec/default.nix
@@ -7,6 +7,8 @@
 }:
 let
   cfg = config.custom.services.crowdsec;
+
+  user = config.users.users.crowdsec.name;
 in
 {
   imports = [ inputs.crowdsec.nixosModules.crowdsec ];
@@ -32,7 +34,9 @@ in
   config = lib.mkIf cfg.enable {
     nixpkgs.overlays = [ inputs.crowdsec.overlays.default ];
 
-    sops.secrets."crowdsec/enrollment-key".owner = config.users.users.crowdsec.name;
+    sops.secrets."crowdsec/enrollment-key".owner = user;
+
+    users.groups.caddy.members = lib.mkIf (lib.elem "caddy" cfg.sources) [ user ];
 
     services.crowdsec = {
       enable = true;
@@ -53,7 +57,10 @@ in
         in
         [
           (mkAcquisition (lib.elem "sshd" cfg.sources) "sshd.service")
-          (mkAcquisition (lib.elem "caddy" cfg.sources) "caddy.service")
+          (lib.mkIf (lib.elem "caddy" cfg.sources) {
+            filenames = [ "${config.services.caddy.logDir}/*.log" ];
+            labels.type = "caddy";
+          })
           (lib.mkIf (lib.elem "iptables" cfg.sources) {
             source = "journalctl";
             journalctl_filter = [ "-k" ];