diff --git a/nixos/doc/manual/release-notes/rl-2605.section.md b/nixos/doc/manual/release-notes/rl-2605.section.md
index f88d88fe2ca0..608e5556de2f 100644
--- a/nixos/doc/manual/release-notes/rl-2605.section.md
+++ b/nixos/doc/manual/release-notes/rl-2605.section.md
@@ -200,6 +200,10 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
   - `nextcloud31` is EOL and was thus removed.
   - Please note that an upgrade from v31 (or older) to v33 directly is not possible. Please upgrade to `nextcloud32` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud32;`](#opt-services.nextcloud.package).
 
+- InvoicePlane with the Caddy webserver (`services.invoiceplane.webserver = "caddy"`) now sets up sites with Caddy's automatic HTTPS instead of HTTP-only.
+  To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
+  If you set custom Caddy options for a InvoicePlane site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.
+
 - `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options.
 
 - `services.kanidm` options for server, client and unix were moved under dedicated namespaces.
diff --git a/nixos/modules/services/web-apps/invoiceplane.nix b/nixos/modules/services/web-apps/invoiceplane.nix
index bd261ea9ec23..617b5b4616b2 100644
--- a/nixos/modules/services/web-apps/invoiceplane.nix
+++ b/nixos/modules/services/web-apps/invoiceplane.nix
@@ -441,7 +441,7 @@ in
         enable = true;
         virtualHosts = mapAttrs' (
           hostName: cfg:
-          (nameValuePair "http://${hostName}" {
+          (nameValuePair hostName {
             extraConfig = ''
               root * ${pkg hostName cfg}
               file_server
diff --git a/nixos/tests/invoiceplane.nix b/nixos/tests/invoiceplane.nix
index 4ead3ef94ee7..991293c9c415 100644
--- a/nixos/tests/invoiceplane.nix
+++ b/nixos/tests/invoiceplane.nix
@@ -26,7 +26,17 @@
           };
         };
 
-        networking.firewall.allowedTCPPorts = [ 80 ];
+        services.caddy.virtualHosts."site1.local".extraConfig = ''
+          tls internal
+        '';
+        services.caddy.virtualHosts."site2.local".extraConfig = ''
+          tls internal
+        '';
+
+        networking.firewall.allowedTCPPorts = [
+          80
+          443
+        ];
         networking.hosts."127.0.0.1" = [
           "site1.local"
           "site2.local"
@@ -76,41 +86,41 @@
           machine.wait_for_unit(f"phpfpm-invoiceplane-{site_name}")
 
           with subtest("Website returns welcome screen"):
-              assert "Please install InvoicePlane" in machine.succeed(f"curl -L {site_name}")
+              assert "Please install InvoicePlane" in machine.succeed(f"curl -sSfkL {site_name}")
 
           with subtest("Finish InvoicePlane setup"):
             machine.succeed(
-              f"curl -sSfL --cookie-jar cjar {site_name}/setup/language"
+              f"curl -sSfkL --cookie-jar cjar {site_name}/setup/language"
             )
             csrf_token = machine.succeed(
               "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
             )
             machine.succeed(
-              f"curl -sSfL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&ip_lang=english&btn_continue=Continue' {site_name}/setup/language"
+              f"curl -sSfkL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&ip_lang=english&btn_continue=Continue' {site_name}/setup/language"
             )
             csrf_token = machine.succeed(
               "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
             )
             machine.succeed(
-              f"curl -sSfL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/prerequisites"
+              f"curl -sSfkL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/prerequisites"
             )
             csrf_token = machine.succeed(
               "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
             )
             machine.succeed(
-              f"curl -sSfL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/configure_database"
+              f"curl -sSfkL --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/configure_database"
             )
             csrf_token = machine.succeed(
               "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
             )
             machine.succeed(
-              f"curl -sSfl --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/install_tables"
+              f"curl -sSfkl --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/install_tables"
             )
             csrf_token = machine.succeed(
               "grep ip_csrf_cookie cjar | cut -f 7 | tr -d '\n'"
             )
             machine.succeed(
-              f"curl -sSfl --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/upgrade_tables"
-            )
+              f"curl -sSfkl --cookie cjar --cookie-jar cjar -d '_ip_csrf={csrf_token}&btn_continue=Continue' {site_name}/setup/upgrade_tables"
+          )
   '';
 }