diff --git a/hosts/caramel/default.nix b/hosts/caramel/default.nix
index 64c5fe7..2112c65 100644
--- a/hosts/caramel/default.nix
+++ b/hosts/caramel/default.nix
@@ -4,6 +4,7 @@
   time.timeZone = "Asia/Phnom_Penh";
 
   age.secrets = {
+    acme_dns.file = ../../secrets/acme_dns.age;
     passwd.file = ../../secrets/passwd.age;
     wpa_conf.file = ../../secrets/wpa_conf.age;
     wg_caramel.file = ../../secrets/wg_caramel.age;
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index 3218b9f..9098b56 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -1,6 +1,14 @@
-{ inputs, ... }: {
-  security.acme.acceptTerms = true;
-  security.acme.email = "me@lava.moe";
+{ config, inputs, ... }: {
+  security.acme = {
+    acceptTerms = true;
+    email = "me@lava.moe";
+    certs."lava.moe" = {
+      domain = "*.lava.moe";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets."acme_dns".path;
+    };
+  };
+
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
@@ -10,7 +18,7 @@
 
     virtualHosts = {
       "lava.moe" = {
-        enableACME = true;
+        useACMEHost = "lava.moe";
         forceSSL = true;
         root = inputs.website.outPath;
       };
diff --git a/secrets.nix b/secrets.nix
index eba03b5..fa81f33 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -8,6 +8,7 @@ in {
   "secrets/passwd.age".publicKeys = [ blossom caramel sugarcane rin ];
   "secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ];
 
+  "secrets/acme_dns.age".publicKeys = [ caramel rin ];
   "secrets/wg_blossom.age".publicKeys = [ blossom rin ];
   "secrets/wg_caramel.age".publicKeys = [ caramel rin ];
   "secrets/wg_sugarcane.age".publicKeys = [ sugarcane rin ];
diff --git a/secrets/acme_dns.age b/secrets/acme_dns.age
new file mode 100644
index 0000000..aae2a16
--- /dev/null
+++ b/secrets/acme_dns.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 U9FXlg dDnXFO4iUwixemx1WPFZSM15/z7xtAGjZxriBbsURRg
+uv6gdP/LDmZMZu/B3IWWYEzfR+H7TJsR3Zo8hYzthQE
+-> ssh-ed25519 krYeuQ Yo3FXb2pDijXv2JxYvNP3IF0DADygWjIHEoUlfCw3zc
+vly4m2xyGfuJxBPue0mk9dodc4YAEKYTWLwx9ljVhWs
+-> ,-grease
+v4PvG0kmxXhjh7Jf
+--- 6yg8u5a9px36osMqiVI4ZPfea+ySjKB8GR/TcCG/ZXU
+qT!ø|Eí#àŽŽÐrÍòQíÌTQM¹É‘IX#²:f|kSiÀs^~¥^ÖÏ_ÒôK•}§"ðI)G–ŽIÝ
+~úÑ‹«*ç4ÎA^w(¸ÇÛ
\ No newline at end of file