I am currently switching over from Debian/rocky lxc containers on proxmox to declaratively creating vm via opentofu, then running nixos-anywhere and then running colmena for updates etc. works great and I should have done it sooner.

Problem Tailscale. I encrypted the authkey via agenix but the new nixos hosts can not read the file and fail to login. The file is available but I think the vms can not decrypt it. Needs further investigation

Does the caddy user have the permissions to read the files ? I ran into that problem as well. If only caddy needs the cert I moved them into /etc/caddy, chowned the dir again, make sure you use the full path of the cert so /etc/caddy/domain.crt not ./domain.crt