diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index 7028528..87357ef 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -2,7 +2,8 @@
   meta =
     let
       my-projects-versions = builtins.fromJSON (builtins.readFile ./my-projects.json);
-      nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/50ab793786d9de88ee30ec4e4c24fb4236fc2674.tar.gz"); # nixos-24.11 2025-07-27
+      nixpkgs-hash = "50ab793786d9de88ee30ec4e4c24fb4236fc2674"; # nixos-24.11 2025-07-27
+      nixpkgs-path = (fetchTarball "https://github.com/NixOS/nixpkgs/archive/${nixpkgs-hash}.tar.gz");
     in
     {
       # Override to pin the Nixpkgs version (recommended). This option
diff --git a/newinfra/nix/modules/caddy/default.nix b/newinfra/nix/modules/caddy/default.nix
index 261118b..bbcb15a 100644
--- a/newinfra/nix/modules/caddy/default.nix
+++ b/newinfra/nix/modules/caddy/default.nix
@@ -30,6 +30,7 @@ in
   age.secrets.caddy_s3_key_secret.file = ../../secrets/caddy_s3_key_secret.age;
 
   systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.caddy_s3_key_secret.path;
+  systemd.services.caddy.after = [ "garage.service" ]; # the cert store depends on garage
   services.caddy = {
     enable = true;
     package = caddy;